Tags: #webdev #security #serverless #nextjs #cloudflare
The Problem: 0% Engagement and 5xx Errors
Recently, while developing my H5 game platform gamehzlab.com, I noticed a disturbing trend in GA4: 100% bounce rate and 0.0% engagement time.
Despite having nearly 2k unique visitors, the "users" were spending only 2 seconds on the site. Even worse, Google Search Console started reporting 5xx Server Errors, preventing my games from being indexed.
The Trap: Global Bot Fight Mode
My first instinct was to toggle Cloudflare's "Bot Fight Mode".
Result: It backfired.
While it stopped some bots, it also blocked my game's .wasm and .data files. The AI-based protection was too aggressive, treating large binary fetches as suspicious activity, effectively breaking the game for real players.
The Solution: Smart Tiered Defense
I shifted from "Global Blocking" to a Custom WAF Rule strategy. Here is the logic that finally balanced security and accessibility:
Targeted Challenges
Instead of challenging everyone, I targeted high-risk, low-engagement regions (e.g., specific data center hubs) and excluded verified crawlers.The "Verified Bot" Green Channel
I used the Known Bots field to ensure Googlebot and Bingbot could always reach the site, even when my manual rules were strict.Protecting the Entry Point Only
By restricting the challenge to the root path (/), I ensured that once a human passed the initial check, their browser could freely download game assets without further interruption.
Current Status: The Road to Indexing
After deploying these changes and validating the fix in GSC, 129 pages are now in the "Discovered - currently not indexed" queue with a status of "Started". This means Google has acknowledged the server is healthy again and is re-queuing the content for crawl.
Key Takeaways for Indie Devs:
Don't trust "Bot Fight Mode" blindly for asset-heavy sites (Wasm/H5 games).
Prioritize Cache Rate: My initial cache rate was only 1.33%. Boosting this via Cache Rules is the best way to shield your Vercel/Supabase origin.
Watch GA4 Engagement: If itβs 0%, you don't have a traffic problem; you have a bot problem.
Top comments (0)