Configure Cloudflare rate-limiting rules via the Rulesets API

Verified steps

1. Rate-limiting rules are deployed to the http_ratelimit phase; retrieve the phase entry-point ruleset ID for your zone with GET /zones/{zone_id}/rulesets/phases/http_ratelimit/entrypoint before creating rules.
2. Add a rate-limiting rule by POST to /zones/{zone_id}/rulesets/{entrypoint_ruleset_id}/rules with action set to block (or challenge, log), a filter expression in expression, and a ratelimit object containing requests_per_period, period (in seconds), and optionally characteristics[] to define the counting key.
3. The characteristics[] array determines what constitutes a unique counter: ip.src counts per source IP; http.request.headers["cf-connecting-ip"] counts per end-user IP when behind a proxy; you can combine multiple characteristics for compound keys.
4. Valid period values are a fixed set defined by Cloudflare (for example 10, 60, 300, 3600, 86400 seconds); choose the period that matches the expected legitimate usage pattern to minimise false positives.
5. Start with action=log and a conservative threshold to observe baseline request rates in Firewall Events before enforcing; use Security Analytics to identify the 99th-percentile rate for legitimate users.
6. Note that the legacy Rate Limiting API (cloudflare_rate_limit Terraform resource) was deprecated and removed in June 2025; all new and existing rate-limiting configuration must use the Rulesets API and cloudflare_ruleset Terraform resource.