Skip to content
The Orange Cloud Report

Core platform

Rate Limiting

Score: 7/10

Essential and effective; the granularity you want costs more.

Last updated

Modern rate limiting rules are built into the WAF engine and share its expression language, which makes them dramatically better than the legacy per-request-billed product they replaced. Counting by IP works everywhere; counting by header, cookie, JA4, or query value needs higher plans.

For basic brute-force and abuse protection it’s a ten-minute setup that just works. The mitigation timeout options and the ability to count on one expression while mitigating on another cover most real-world shapes.

The point deductions are for plan-gating (the characteristics you actually want are Business/Enterprise) and for observability — validating what a rule would have caught before enforcing it is clunkier than it should be.