Bot Protection is a module that detects robotic or automated activities that mimic user activity to perform inappropriate operations such as web content and API data scraping, form submission abuse, actual user account takeover, and more. It drops the connections to clear the workflow for you to interact only with real users.
Rate Limiter is an additional feature of Bot Protection that allows you to configure restrictions and specify how many user requests can be sent to your protected resource and web application. It helps reduce the load on our network and your web application by rejecting requests that exceed the set limit.
1. Go to the Web Security section and open the settings of the desired resource.
2. Open the Bot tab and follow the remaining steps.
3. Make sure that the Bot Protection is set to Low or High mode. If set to Off mode, the Rate Limiter feature will be inactive, and configurations will be unavailable.
When Bot Protection is set to High, the testcookie function is available. It lets you check whether the HTTP client that sent the request can process cookies. If the client cannot process cookies, the request is considered robotic and is blocked.
Note: If you set Bot Protection to Low, the testcookie function will be unavailable.
The testcookie function is displayed as the slider in the “High” column in the control panel. You can turn testcookie on/off for specific URIs. When you make changes, don’t forget to save them.
4. Enter the number of allowed requests to your protected resource between 1 and 100,000 per second.
5. Enter the number of allowed requests to the URI of your web application between 1 and 100,000 per second.
Note: You can also set the value to 0 in both fields, which means that there are no restrictions on the number of requests.
6. (Optional) You can create exceptions (rules) to the default settings for certain URIs. To create a rule, click Add Rule and specify how many requests can be sent from one IP address to a particular URI:
Note: Regular expressions are not supported in URI. The feature supports only partly match with an asterisk (*) which includes all possible nesting.
For example, your website address is https://test.com, and you create a rule with URI api and the limit of 2 requests per second as follows:
Rule: GET /api/* 2
So this rule will be spread on all sub URLs in relation to the /api/: https://test.com/api/books
, https://test.com/api/author/123
, https://test.com/api/logs
, and so on.
The number of rules you can create depends on your plan:
Tariff plan | The available amount of rules |
---|---|
Trial | 1 |
Start+ | 3 |
Pro | 6 |
Custom | 10 |
Note: If the number of created rules is greater than that allowed by your plan, you will receive an error: "Exceeded maximal amount of rate limiter rules: {amount}".
7. Save the changes.
After setting the Rate Limiter, if users or bots send a number of requests exceeding the set value, they will receive an HTTP 429 (Too Many Requests) response code, indicating that the Rate Limiter has restricted unwanted activity.
Was this article helpful?
Discover the all-in-one Web security solution by Gcore