Cloudflare SE Lab
Lab 6

Rate limiting and API abuse protection

Lab 6 demonstrates how Cloudflare can protect a login or API endpoint from abusive request patterns by enforcing request thresholds at the edge.

Scenario

A customer has a login endpoint or API endpoint being abused. The customer needs a way to slow down or block excessive requests before they reach the application.

Objective

Protect /api/login using Cloudflare Rate Limiting Rules. The goal is to define a request threshold, apply an enforcement action when that threshold is exceeded, and validate that abusive request bursts are controlled at Cloudflare's edge.

Outcomes

  • Created a rate limiting rule for the login API path.
  • Matched requests where the URI path equals /api/login.
  • Defined a threshold of repeated requests over a short time window.
  • Applied an enforcement action such as Managed Challenge or Block.
  • Validated the rule by repeatedly calling the endpoint with curl.
  • Confirmed that normal traffic remains available while abusive bursts are controlled.

Environment / Build

  • Zone: ybarra-cflab.com
  • Protected hostname: www.ybarra-cflab.com
  • Protected endpoint: /api/login
  • Cloudflare product area: Security → WAF → Rate limiting rules
  • Rule name: Protect login API
  • Expression: (http.request.uri.path eq "/api/login")
  • Example threshold: 5 requests per 10 seconds
  • Example action: Managed Challenge or Block

Demonstrable Content

Validate the login API protection by sending repeated requests:

for i in {1..10}; do curl -I https://www.ybarra-cflab.com/api/login; done

Expected behavior:

  • Initial requests may return the normal endpoint response.
  • Once the threshold is exceeded, Cloudflare enforces the configured action.
  • The response may show a challenge or block depending on the selected action.
  • The request should be visible in Cloudflare security or rate limiting events where available.

Validate normal traffic remains available:

curl -I https://www.ybarra-cflab.com/

What Was Completed

  • Created a Cloudflare Rate Limiting Rule named Protect login API.
  • Scoped the rule to /api/login instead of applying it broadly across the site.
  • Configured a request threshold for repeated access attempts.
  • Selected an enforcement action appropriate for API abuse protection.
  • Validated the behavior with repeated curl requests.
  • Confirmed that rate limiting protects the endpoint without changing application code.

Lab 6 Technical Summary

Lab 6 implemented rate limiting for the /api/login endpoint using Cloudflare's edge security controls. The rule matches requests where the URI path equals /api/login, then tracks repeated requests against a configured threshold. When the threshold is exceeded, Cloudflare applies the selected action, such as Managed Challenge or Block, before the traffic reaches the application. This demonstrates how Cloudflare can reduce brute-force login attempts, credential stuffing patterns, and API abuse without requiring changes to the origin application.

Lab 6 Customer-Facing Summary

We protected the login API from excessive repeated requests by adding a Cloudflare rate limiting rule. This helps reduce abusive traffic, brute-force attempts, and unnecessary load on the application. The customer benefits because Cloudflare can enforce the control at the edge, closer to the attacker, without requiring an immediate application code change.