... and the bad guys?

With caddy in place we can move code to configuration

Filter out known cases early on:

@well_known_404 {
    path /.well-known/assetlinks.json
    path /swagger-ui/*
}
handle @well_known_404 {
    respond 404 {
        close
    }
}

Rate-limit login attempts

@login {
    method POST
    path /_framer/login/
}

handle @login {
    rate_limit {
        distributed
        zone logins {
            key {remote_host}
            events 20
            window 60s
        }
    }

    route {
        framer_serve login
    }
}

Block things outright

@blocked_domains {
    framer_blocked_host "GetParametersByPath"
}
handle @blocked_domains {
    respond 429 {
        close
    }
}

Demo