@amolith@masto.nixnet.xyz The second part is to keep bots away from your transactional part of website. Because you can cache static content but anything that is dynamically generated (eg Vary: Cookie) will just kill your database under DDoS.

Again, Nginx with conditionals, Lua, NAXSI or ModSec can help here, but you need to spin enough instances to be even able to handle the traffic on TCP level.