Core platform
Rate Limiting
Score: 7/10Essential and effective; the granularity you want costs more.
Last updated
Modern rate limiting rules are built into the WAF engine and share its expression language, which makes them dramatically better than the legacy per-request-billed product they replaced. Counting by IP works everywhere; counting by header, cookie, JA4, or query value needs higher plans.
For basic brute-force and abuse protection it’s a ten-minute setup that just works. The mitigation timeout options and the ability to count on one expression while mitigating on another cover most real-world shapes.
The point deductions are for plan-gating (the characteristics you actually want are Business/Enterprise) and for observability — validating what a rule would have caught before enforcing it is clunkier than it should be.