You can set a per-IP rate limit on Cloudflare free plan... stops an attack right at the edge before it touches your app. But not so straightforward...

Published: February 27, 2026

1st issue - if you are on Vercel, every app gets a public something-something.vercel.app URL alongside your custom domain. Bypasses Cloudflare - all your rules gone down the drain. What do you do? Just enable deployment protection and any access to that URL would go to Vercel's sign in page. Matter over.

No not.. not done yet ...what if you have a FastAPI backend on a different URL? Or different subdomain for different apps e.g vigil.tigzig.com, qrep.tigzig.com etc. Or you have MCP Servers ...each on a different URL requiring a different rate limit?

Then it gets tricky.

Why? Only 1 rule on free account with single rate limit (per 10s).

And Cloudflare's $20 Pro plan gets you 2 rules only.

Yupp .. you can just combine them into a single rule if that works..

I have some 60+ subdomains across my 40+ apps and their respective backends .. now hacking something together with Cloudflare workers. Claude Code has number of ideas .. one enthu cutlet .. after each idea asks 'Shall I go ahead and implement this'? no baba .. need to understand what you going to do...

But THE MOST IMPORTANT POINT - for a single domain or if you can combine them then do make sure to use Cloudflare. Doesn't cost anything and the protection and functionalities it provides even on free tier is huge.

80 items now on my security checklist at tigzig.com/security Vulnerabilities I've detected and fixing across 40+ of my deployed apps. Full markdown copy available - paste it to your AI coder as a starting checklist or have it walk you thru it.