Did you use some sort of intrusion prevention system? I'm using cloudflare's anti ddos service + crowdsec, but I'm still getting bombarded with hundreds of thousands of requests per month
Besides rate-limiting with Caddy + fail2ban, not really. It's the public internet, anything gets bombarded almost as soon as it's public, but all requests are read-only requests so doesn't really impact anything beyond filling the access logs. Trivial to filter away when you want to do analytics too, so isn't really a problem.