← knowledge.oriz.in

Cloudflare WAF + Bot Fight Mode

service securitywafanti-botcloudflareprimary

Cloudflare WAF + Bot Fight Mode

Role

The edge-layer of the family's anti-bot defense-in-depth. Sits in front of every *.oriz.in zone (Pages + Workers) and rejects:

Whatever survives the WAF reaches the Worker / origin and is then gated by Turnstile (form-submit challenge) and Hono rate-limit middleware (per-IP API throttling).

Free tier

Card / subscription required?

NO. Inherits the existing Cloudflare free-plan account that hosts Pages, Workers, DNS, Turnstile, Email Routing, and Cron Triggers. No new account surface, no card.

Configured per zone via Terraform / dashboard

# WAF ruleset
[waf.managed]
ruleset = "cf_managed_free"   # auto-updated
mode    = "block"

# Bot Fight Mode
[security.bot_management]
fight_mode = "on"             # free tier

# Rate limit (free plan)
[[ratelimit.rules]]
match     = "http.request.uri.path matches \"^/api/\""
threshold = 100
period    = 60
action    = "challenge"        # serves Turnstile managed challenge

The threshold above is a coarse zone-level safety net; finer-grained per-route limits live in the Hono rate-limit middleware.

Alternatives

Swap cost

Medium. WAF rules are Cloudflare-syntax; porting to AWS / Bunny means re-authoring the rule set. Bot Fight Mode is unique to Cloudflare. The DNS swap is straightforward; the rule-port is the work.

Why this is our pick

The family already runs every other layer on the same Cloudflare account; the WAF + Bot Fight Mode are zero-incremental-config add-ons. Combined with Turnstile (form-submit) + Hono rate-limit (API), the family gets three layers of bot defense without paying for a single one — locked in security/anti-bot-defense-in-depth.md.

Cross-refs