Configuring a Rate Limiter for Bot Protection

Configuring a Rate Limiter for Bot Protection

As more companies move their operations online, the threat of robotic or automated activities that mimic user activity—collectively known as bots—has grown significantly. These can execute damaging operations, like data scraping, form submission abuse, or user account takeovers. To help combat this, we offer a module called Bot Protection. This module detects bot activity and prevents it from accessing your data and resources.

An added feature of Bot Protection is the Rate Limiter. This feature lets you specify how many user requests can be sent to your protected resource and web application per second, which helps reduce the load on our network and your website. It rejects requests exceeding your set limit, preventing excessive bot activity.

How to Setup Bot Protection?

Here’s a guide on how to configure this feature:

  1. Navigate to Web Protection, and select the resource settings you want to protect.
  2. Open the Bot tab.
Bot protection settings illustration with setup steps highlighted
  1. Ensure the Bot Protection is set to either Low or High mode. If set to Off mode, you won’t be able to use or configure the Rate Limiter feature.
  2. Set the number of allowed requests to your protected resource per second; you can choose between 1 and 100,000.
  3. Set the number of allowed requests to a single URI of your web application per second; you can choose between 1 and 100,000.
  4. Optionally, you can create exceptions to the default settings by specifying rules for specific URIs. For instance, if you want to allow multiple requests from one IP address to a particular URI:
    • Click “Add Rule”.
    • Select the method of the request (POST, GET, PUT, PATCH, or DELETE)
    • Specify URI path. You can use an asterisk (*) wildcard, which includes all possible nesting.
    • Set the number of allowed requests between 1 and 100,000.
  5. Once you’ve configured your settings, click Save changes.

Note: For all rules you can also set the value to 0, which means there will be no restrictions on the number of requests.

After setting the Rate Limiter, any users or bots that try to send more requests than the specified limit will receive an HTTP 429 (Too Many Requests) response code, indicating that the Rate Limiter has blocked their activity.

How Many URI Rules Can I Have?

You can create as many rules for URI as allowed by your plan:

  • Trial plan: 1 rule
  • Start+ plan: 3 rules
  • Pro plan: 6 rules
  • Custom plan: 10 rules

You’ll receive an error message if you try to create more rules than your plan allows.


Through the Bot Protection feature, you can efficiently regulate the number of user requests, minimizing undue load and protecting your application from possible abuse or data breaches.

For more details, check out our step-by-step instructions.

Try bot protection today

Subscribe to our newsletter

Stay informed about the latest updates, news, and insights.