type: decision
status: active
timestamp: 2026-06-20
tags: [security, anti-bot, decisions, defense-in-depth, cloudflare, turnstile, hono]

Anti-bot — defense in depth (CF WAF + Turnstile + Hono rate-limit)

Bot defense: CF WAF + Turnstile + Hono rate-limit. All free

Anti-bot — defense in depth (CF WAF + Turnstile + Hono rate-limit)

Decision

The family runs three anti-bot layers, each at a different stage of the request lifecycle. A request must pass all three to reach a route handler. All three are free, no card, and run on infrastructure the family is already using.

LayerStageServiceWhat it blocks
1Edge (zone-wide)Cloudflare WAF + Bot Fight ModeKnown-bad IPs, common attack patterns (SQLi/XSS/RFI), obvious bot signatures, DDoS
2Form-submit boundaryCloudflare Turnstile (with hCaptcha fallback)Automated form submissions on contact / sign-up / comment forms
3API per-route throttleHono rate-limit middlewarePer-IP per-route abuse on the api.oriz.in Worker

Why three layers (not one)

The user’s direction was ”+ Turnstile (already locked)”. The two sibling layers (WAF + rate-limit) ride alongside because:

This is the same defense-in-depth pattern as the double security-headers audit (securityheaders.com + Mozilla Observatory) and the two-captcha pair (Turnstile primary + hCaptcha fallback).

Layer detail

1. Cloudflare WAF + Bot Fight Mode (edge)

2. Turnstile + hCaptcha fallback (form-submit)

3. Hono rate-limit middleware (API per-route)

Implications

Cross-refs


Edit on GitHub · Back to index