Part 2 of this guide shifts focus to hardening applications at Cloudflare's edge. It covers three key tools: AI Crawl Control for managing bots that harvest content for training, Rate Limiting to protect APIs from abuse, and Turnstile for frictionless bot detection. The goal is blocking malicious traffic while preserving site performance and search engine visibility.

Uncontrolled AI crawling can inflate bandwidth costs and server load. Cloudflare's dashboard lets you block specific data-gathering bots while allowing essential search engines like Googlebot. For APIs, rate limiting rules stop brute-force attacks by capping requests (e.g., 10 per 10 seconds) and blocking excess traffic before it reaches your origin.

Turnstile replaces traditional CAPTCHAs with invisible or managed challenges. Setup involves creating a widget, adding a site key to your frontend, and verifying requests server-side with a secret key. When combined with security rules, it protects sensitive endpoints without frustrating real users. Together, these features create a layered defense against automated threats.