[WAF] Update rate limiting config restrictions (#26940)

SomeBadCoding · pedrosousa · web-flow · commit 3f31ec6e55c6 · 2025-12-05T11:35:31.000Z
---------

Co-authored-by: Pedro Sousa &lt;680496+pedrosousa@users.noreply.github.com&gt;
diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
@@ -258,4 +258,4 @@ To use claims inside a JSON Web Token (JWT), you must first set up a [token vali
 
 - The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) and [custom lists](/waf/tools/lists/custom-lists/). If you use custom lists, you must enable the **Also apply rate limiting to cached assets** parameter.
 
-- When creating a rate limiting rule [at the account level](/waf/account/rate-limiting-rulesets/) as part of a rate limiting ruleset, the rule expression cannot contain [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) or [custom lists](/waf/tools/lists/custom-lists/).
+- When creating a rate limiting ruleset [at the account level](/waf/account/rate-limiting-rulesets/), the ruleset deployment expression (defining the scope) and the filter expression of any rate limiting rules in the ruleset cannot contain [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) or [custom lists](/waf/tools/lists/custom-lists/).

Original file line number	Diff line number	Diff line change
`@@ -258,4 +258,4 @@ To use claims inside a JSON Web Token (JWT), you must first set up a [token vali`
`258`	`258`
`259`	`259`	`- The rule counting expression, defined in the Increment counter when parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) and [custom lists](/waf/tools/lists/custom-lists/). If you use custom lists, you must enable the Also apply rate limiting to cached assets parameter.`
`260`	`260`
`261`		`-- When creating a rate limiting rule [at the account level](/waf/account/rate-limiting-rulesets/) as part of a rate limiting ruleset, the rule expression cannot contain [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) or [custom lists](/waf/tools/lists/custom-lists/).`
	`261`	`+- When creating a rate limiting ruleset [at the account level](/waf/account/rate-limiting-rulesets/), the ruleset deployment expression (defining the scope) and the filter expression of any rate limiting rules in the ruleset cannot contain [HTTP response fields](/ruleset-engine/rules-language/fields/reference/?field-category=Response) or [custom lists](/waf/tools/lists/custom-lists/).`