When using Ory Network, protection against DoS (Denial of Service) attacks is provided through several built-in security measures: - Rate Limiting: Ory Network applies both project-level and endpoint-based rate limits. These mechanisms restrict the number of requests that can be made within certain timeframes, helping to prevent abuse and service disruptions. Endpoint-based rate limits specifically analyze request patterns, source IP addresses, and request frequency to identify and block suspicious or malicious activity, such as brute-force and credential stuffing attacks. For high-volume legitimate traffic, IP whitelisting is available for Growth and Enterprise plans, allowing trusted sources to bypass stricter limits while maintaining overall security. The rate limit rules themselves are managed by Ory and are not directly configurable by customers at this time [Understand Ory Network rate limiting](https://www.ory.sh/docs/guides/rate-limits#endpoint-based-rate-limits). - Bot Detection and IP Throttling: Ory Network leverages Cloudflare Web Application Firewall (WAF) and Cloudflare Bot Management to detect and mitigate automated attacks, including DoS attempts. These services help identify and throttle suspicious IPs, providing an additional layer of defense against automated threats without negatively impacting legitimate users [Threat models and security profiles](https://www.ory.sh/docs/kratos/concepts/security). - Suspicious IP Throttling: Ory Network includes mechanisms to throttle requests from suspicious IP addresses, further reducing the risk of DoS attacks and credential stuffing [Ory Network or self-hosted?](https://www.ory.sh/blog/ory-network-or-self-hosting-explained-use-cases). - Firewall and Allowlisting: For outbound traffic (such as webhooks and emails), Ory Network uses a fixed set of IP addresses, allowing customers to configure their firewalls to only accept traffic from these trusted sources, which can help mitigate certain types of attacks [Configure Ory Network IP addresses as allow list](https://www.ory.sh/docs/guides/allowlist). In summary, Ory Network provides robust DoS protection through rate limiting, IP-based throttling, Cloudflare WAF integration, and support for IP allowlisting. These measures collectively help block or mitigate malicious traffic, including DoS attacks.

Ory Network’s protections against DoS attacks—such as rate limiting, bot detection, suspicious IP throttling, and Cloudflare WAF integration—are enabled by default for all projects. You do not need to explicitly activate these features; they are part of the platform’s built-in security infrastructure and apply automatically to both the API endpoints and the default Ory Account Experience UI. If you use a custom login UI, these protections still apply to the underlying Ory Network endpoints (e.g., login, registration, and other API routes). The security measures are enforced at the API and network level, not at the UI level, so switching to a custom UI does not disable or bypass these protections. The only exception is if you self-host Ory Kratos, in which case you are responsible for implementing your own protections, but for Ory Network, everything is managed for you by default [Threat models and security profiles](https://www.ory.sh/docs/kratos/concepts/security) [Understand Ory Network rate limiting](https://www.ory.sh/docs/guides/rate-limits#endpoint-based-rate-limits). In summary: - **No explicit activation is required**—protections are on by default. - **Using a custom UI does not affect these protections**; they remain in place as long as you use Ory Network’s backend services.