The latest articles on DEV Community by Tested.GG (@testedgg). https://dev.to/testedgg https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3909960%2Fa02a9e35-d5e5-4518-b6c5-12bd806d521e.png https://dev.to/testedgg en Tested.GG Sun, 03 May 2026 07:52:02 +0000 https://dev.to/testedgg/bot-protection-in-sveltekit-on-cloudflare-pages-609 https://dev.to/testedgg/bot-protection-in-sveltekit-on-cloudflare-pages-609 <p>If you're running a SvelteKit app on Cloudflare Pages and your content is publicly accessible, commodity scrapers will find it eventually. Here's the protection setup we use at <a href="https://tested.gg" rel="noopener noreferrer">Tested.gg</a> - two layers, mostly free, minimal code.</p> <h2> The architecture problem first </h2> <p>If your API is behind Cloudflare Service Bindings (not publicly exposed over HTTP), scrapers can only hit your SvelteKit Pages app. That's your entire attack surface. All protection goes there, not on the API Worker.</p> <p>This matters because most bot protection tutorials target REST APIs. In a service-binding architecture, the SvelteKit SSR layer is the only thing that faces the public internet.</p> <h2> Layer 1: WAF Rate Limiting (Cloudflare Dashboard, free) </h2> <p>Cloudflare's free tier includes WAF rate limiting rules. These execute at the edge, before your Pages Worker runs, which makes them strictly faster and cheaper than application-level rate limiting.</p> <p>Dashboard &gt; Security &gt; WAF &gt; Rate limiting rules:</p> <p><strong>General page limit:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Match: URI Path starts with / Rate: 60 requests per minute per IP Action: Block (10 minutes) </code></pre> </div> <p><strong>Write endpoint limit:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Match: URI Path starts with /site AND Method = POST Rate: 10 requests per minute per IP Action: Block (1 hour) </code></pre> </div> <p>One important property: CDN cache HITs don't count against rate limiting rules because they never reach the Worker. Your thresholds only apply to cache misses - which is exactly the right behavior. A human browsing cached pages won't trip the limit; a scraper busting the cache will.</p> <h2> Layer 2: Threat Score in SvelteKit hooks </h2> <p>Cloudflare populates <code>cf.threatScore</code> on every request - a 0-100 score derived from their IP reputation database. 0 is clean, 100 is worst. It's available on every plan, for free.</p> <p>First, add <code>cf</code> to your Platform interface in <code>app.d.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">namespace</span> <span class="nx">App</span> <span class="p">{</span> <span class="kr">interface</span> <span class="nx">Platform</span> <span class="p">{</span> <span class="nl">env</span><span class="p">:</span> <span class="nx">Cloudflare</span><span class="p">.</span><span class="nx">Env</span><span class="p">;</span> <span class="nl">context</span><span class="p">:</span> <span class="p">{</span> <span class="nf">waitUntil</span><span class="p">(</span><span class="na">promise</span><span class="p">:</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">unknown</span><span class="o">&gt;</span><span class="p">):</span> <span class="k">void</span><span class="p">;</span> <span class="p">};</span> <span class="nl">caches</span><span class="p">:</span> <span class="nx">CacheStorage</span><span class="p">;</span> <span class="nl">cf</span><span class="p">?:</span> <span class="nx">IncomingRequestCfProperties</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then create a <code>bot-guard.ts</code> hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Handle</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@sveltejs/kit</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">THREAT_SCORE_THRESHOLD</span> <span class="o">=</span> <span class="mi">30</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handleBotGuard</span><span class="p">:</span> <span class="nx">Handle</span> <span class="o">=</span> <span class="p">({</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">resolve</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cf</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">platform</span><span class="p">?.</span><span class="nx">cf</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">cf</span><span class="p">)</span> <span class="k">return</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">threatScore</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">threatScore</span><span class="dl">"</span> <span class="k">in</span> <span class="nx">cf</span> <span class="o">&amp;&amp;</span> <span class="k">typeof</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">threatScore</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">number</span><span class="dl">"</span> <span class="p">?</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">threatScore</span> <span class="p">:</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">threatScore</span> <span class="o">&gt;</span> <span class="nx">THREAT_SCORE_THRESHOLD</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span> <span class="s2">`[bot-guard] Blocked: id=</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">requestId</span><span class="p">}</span><span class="s2"> ip=</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nf">getClientAddress</span><span class="p">()}</span><span class="s2"> score=</span><span class="p">${</span><span class="nx">threatScore</span><span class="p">}</span><span class="s2"> path=</span><span class="p">${</span><span class="nx">event</span><span class="p">.</span><span class="nx">url</span><span class="p">.</span><span class="nx">pathname</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="dl">"</span><span class="s2">Access denied</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">403</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text/plain</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Retry-After</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">3600</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">event</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>Wire it into <code>hooks.server.ts</code> after your platform setup, before auth or SSR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">handle</span><span class="p">:</span> <span class="nx">Handle</span> <span class="o">=</span> <span class="nf">sequence</span><span class="p">(</span> <span class="nx">handleRequestId</span><span class="p">,</span> <span class="nx">handlePlatform</span><span class="p">,</span> <span class="nx">handleBotGuard</span><span class="p">,</span> <span class="nx">handleAuth</span> <span class="p">);</span> </code></pre> </div> <p>Position matters. Block high-threat requests before spending CPU on auth token validation, database calls, or SSR rendering.</p> <h2> Why not KV-based rate limiting? </h2> <p>The common suggestion is to implement per-IP rate limiting inside the Worker using KV. Skip it:</p> <ul> <li>Dashboard WAF rules run at the edge before the Worker - strictly faster</li> <li>KV's <code>get</code> + <code>put</code> pattern is not atomic - two concurrent requests from the same IP can both read <code>count = 59</code>, both write <code>count = 60</code>, and neither gets blocked</li> <li>KV reads add latency and cost on every request</li> </ul> <p>Dashboard rules are always preferable when they're expressive enough for your use case.</p> <h2> Tuning the threshold </h2> <p>Start at <code>THREAT_SCORE_THRESHOLD = 30</code>. Monitor Workers Logs for <code>[bot-guard]</code> entries after deploying. If you see false positives (real users blocked), raise it to 40. If you see continued bot traffic, lower it to 20.</p> <p>This setup handles commodity scrapers and known-bad IPs. Sophisticated scrapers that rotate clean IPs and mimic browser behavior are a different problem - that's what Cloudflare's paid Bot Management tier is for. But for most content sites, these two layers cover the vast majority of automated traffic.</p> sveltekit cloudflare security webdev