Edge Rate Limiting

Fastly’s Edge Rate Limiting provides customers with the ability to count client requests and optionally penalize clients for exceeding set rate limits, thereby controlling the rate of requests sent to origin servers. Common uses for the Edge Rate Limiting product include mitigating abusive use of a website or service (e.g. by a scraping bot or a denial of service attack) or applying limits on use of an expensive or billable resource (e.g. allowing only up to 1000 requests an hour to an API endpoint). By controlling the rate of requests to your origins, you can help ensure service availability during excessive spikes in traffic.


To access this product using Varnish (VCL), you must have a Security or Delivery package. To access this product using Rust, Go, or JavaScript, you must have a Compute package. Check out our pricing page for details.

Limitations and caveats

Edge Rate Limiting is compatible with Fastly’s origin shield feature and both can be used together. If you have shielding enabled, rate limits will be counted twice, once at the edge and once at the origin shield. This has different implications for where protection is occurring and how the client is identified.

Edge Rate Limiting is not intended to compute rates with high precision and may under count by up to 10%. For example, if you have a rate limit of 100 requests per second over a 10 second window, when the real request rate reaches 100 RPS, it may register as low as 90 and therefore may not trigger the limit until the real request rate reaches 110 RPS.

Both rate counters and penalty boxes have a fixed capacity for client entries. Once a rate counter is full, each new entry evicts the entry that was least recently incremented. Once a penalty box is full, each new entry will evict the entry with the shortest remaining time to live (TTL). Penalty box TTLs are enforced by rounding up on the minute, so the effective minimum TTL of an entry in a penalty box is 2 minutes.

Security products note

No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. As a subscriber, you should maintain appropriate security controls on all web applications and origins. The use of Fastly's security products do not relieve you of this obligation. As a subscriber, you should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, continuously monitor their performance, and adjust these services as appropriate to address changes in your web applications, origin services, and configurations of the other aspects of your Fastly services.

For more details about this product, including how to purchase it, contact your account manager or email sales@fastly.com.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.