Phần 3: Bảo mật baseline Part 3: Baseline security · Bài 2/3 Lesson 2/3

Rate limiting cho login và form Rate limiting for login and forms

Giới hạn request theo IP hoặc cookie cho /login, /signup, OTP, search. Giảm credential stuffing và abuse. Limit requests per IP or cookie on /login, /signup, OTP, search. Reduces credential stuffing and abuse.

Các bước thực hiện Step-by-step

Security → WAF → Rate limiting rules: tạo rule cho /login, /signup. Security → WAF → Rate limiting rules: create rules for /login, /signup.
Đặt ngưỡng (ví dụ 10 req/phút/IP) và action Block hoặc Challenge. Set threshold (e.g. 10 req/min/IP) and Block or Challenge action.
Thêm rule cho API search/autocomplete nếu bị abuse. Add rules for API search/autocomplete if abused.
Monitor rate limit events sau deploy. Monitor rate limit events after deploy.

Giải thích chi tiết Detailed explanation

Rate limiting bảo vệ credential stuffing và brute force — bổ sung cho WAF signature-based rules. Rate limiting protects against credential stuffing and brute force — complementing signature-based WAF rules.

Lưu ý (best practices) Note (best practices)

Cách triển khai Managed Rules ở Account level cũng áp dụng cho Rate Limiting Rules — ưu tiên cấu hình Account thay vì lặp lại trên từng zone. The Account-level approach for Managed Rules also applies to Rate Limiting Rules — prefer Account-level configuration over repeating rules per zone.

Nguồn: Source: Streamlined WAF deployment across zones and applications Streamlined WAF deployment across zones and applications ↗

Ví dụ triển khai (Cloudflare Resources) Deployment examples (Cloudflare Resources)

Tutorial, solution guide và reference từ developers.cloudflare.com/resources ↗ — gợi ý theo chủ đề bài học. Tutorials, solution guides, and reference docs from developers.cloudflare.com/resources ↗ — matched to this lesson topic.