Rate Limiting

Overview

The WAF uses dynamic rate limiting to intelligently control how many requests a visitor can make to your site. Rather than applying a single rate limit to all requests, it analyzes the context of each request — the HTTP method, the destination path, and the request pattern — to determine appropriate limits.

How Dynamic Rate Limiting Works

The WAF distinguishes between different types of traffic and applies different rate limits accordingly:

Normal Traffic (Higher Limits)

Read-only requests to public content receive more generous rate limits:

• GET requests to marketing pages, blog posts, product listings
• GET requests for static assets (images, CSS, JavaScript)
• GET requests to public API endpoints with read-only data

Sensitive Operations (Stricter Limits)

Requests targeting security-critical endpoints receive stricter limits:

• POST requests to login and authentication endpoints
• POST requests to admin panel and dashboard actions
• POST requests for password reset and account recovery

This context-aware approach reduces false positives — legitimate visitors browsing your site are unlikely to be rate limited, while automated attacks targeting login pages are caught quickly.

Rate Limiting Modes

You can configure the rate limiting mode from your WAF dashboard under Rate Limiting.

Standard Mode (Recommended)

Best for most applications. Standard mode provides:

• Balanced protection for typical web applications
• Good handling of high-traffic marketing sites and APIs
• Smooth handling of traffic spikes and bursty webhooks
• Low chance of blocking legitimate traffic

Aggressive Mode

Best for sensitive applications or during active attacks. Aggressive mode provides:

• Stricter limits on all request types
• Better protection for financial, healthcare, or sensitive data applications
• Recommended during active attacks or security incidents
• Higher chance of blocking legitimate traffic, especially bursty webhooks and traffic spikes

Attack Signature Detection (Always On)

Regardless of which rate limiting mode you choose, any request containing known attack patterns is immediately blocked. This includes SQL injection, XSS, path traversal, and other common attack vectors. Even a single malicious request will be stopped before reaching your application.

Always-On Protections

These security features are active at all times, independent of the rate limiting mode:

• Attack Pattern Blocking — SQL injection, XSS, and other OWASP Top 10 attacks are blocked instantly
• Bot Detection — Automated scanners and malicious bots are identified and blocked
• DDoS Protection — Layer 7 flood attacks are mitigated at the edge
• Brute Force Prevention — Repeated failed authentication attempts trigger automatic blocking

Troubleshooting 429 Errors

If you or your users are seeing 429 (Too Many Requests) errors, it means the rate limiter has temporarily blocked requests from that IP address.

For Human Visitors

429 errors for regular visitors are uncommon. If a legitimate user reports being blocked:

1. Check if they are behind a shared IP (corporate network, VPN) that might have multiple users appearing as one
2. Consider switching from Aggressive to Standard mode if the errors are frequent
3. The block is temporary — waiting a few minutes usually resolves it

For API Clients and Automated Tools

Automated traffic is more likely to hit rate limits. To resolve:

1. Add the client IP to your allowlist — Allowlisted IPs bypass rate limiting. Navigate to IP Management > Allowlist in your WAF dashboard.
2. Allowlist the API path — Use path allowlisting to exempt specific API endpoints from WAF rules entirely.
3. Implement backoff — Have your API client respect 429 responses and retry with exponential backoff.

For Webhooks

Webhook providers (Stripe, GitHub, etc.) may send bursts of requests that trigger rate limiting:

1. Allowlist the webhook provider’s IP ranges if they publish them
2. Allowlist the webhook path (e.g., /api/webhooks/stripe) using path allowlisting
3. Switch to Standard mode if you are on Aggressive mode

Need Help?

If you need help configuring rate limiting or resolving 429 errors:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min