← knowledge.oriz.in

Anti-bot — defense in depth (CF WAF + Turnstile + Hono rate-limit)

decision securityanti-botdecisionsdefense-in-depthcloudflareturnstilehono

Anti-bot — defense in depth (CF WAF + Turnstile + Hono rate-limit)

Decision

The family runs three anti-bot layers, each at a different stage of the request lifecycle. A request must pass all three to reach a route handler. All three are free, no card, and run on infrastructure the family is already using.

Layer Stage Service What it blocks
1 Edge (zone-wide) Cloudflare WAF + Bot Fight Mode Known-bad IPs, common attack patterns (SQLi/XSS/RFI), obvious bot signatures, DDoS
2 Form-submit boundary Cloudflare Turnstile (with hCaptcha fallback) Automated form submissions on contact / sign-up / comment forms
3 API per-route throttle Hono rate-limit middleware Per-IP per-route abuse on the api.oriz.in Worker

Why three layers (not one)

The user's direction was "+ Turnstile (already locked)". The two sibling layers (WAF + rate-limit) ride alongside because:

This is the same defense-in-depth pattern as the double security-headers audit (securityheaders.com + Mozilla Observatory) and the two-captcha pair (Turnstile primary + hCaptcha fallback).

Layer detail

1. Cloudflare WAF + Bot Fight Mode (edge)

2. Turnstile + hCaptcha fallback (form-submit)

3. Hono rate-limit middleware (API per-route)

Implications

Cross-refs