Return home icon Return to experiments icon

Syrax Operations · Mission Experiments

Experiment 03 — Edge Security Controls

This experiment applies targeted Cloudflare edge controls to reduce automated scanning and bot noise on a static site, while preserving normal user access and minimizing false positives.

Date

14 Dec 2025

Status

Completed

Focus

Edge Security & Abuse Mitigation

Objective

Reduce automated scanning and bot noise at the CDN edge using targeted Cloudflare controls while preserving normal user access.

Setup


  • Static site deployed on Cloudflare Pages (Free plan).
  • Cloudflare Security Insights used to establish a baseline.
  • Bot Fight Mode enabled for automated bot mitigation.
  • Custom firewall rules created to block common automated scan paths and restrict .well-known access.
  • Strict browser security headers enforced via a custom _headers file.
  • Validation performed using Nikto, OWASP ZAP (passive), and manual request testing.

Methodology

1. Baseline

Cloudflare Security Insights and analytics were reviewed to understand existing exposure, common request paths, and automated traffic patterns before applying any controls.

2. Apply Controls

Targeted edge controls were enabled, including Bot Fight Mode and custom firewall rules to block common automated scan paths and restrict access to non-essential endpoints.

3. Validate

Controls were validated using a combination of automated scanning tools (Nikto, OWASP ZAP passive scan) and manual request testing to confirm that mitigations were effective without impacting legitimate access.

Observations

After applying edge controls, automated requests to non-existent and irrelevant paths were observed and blocked without impacting normal browsing. Firewall events confirmed repeated probing of restricted endpoints, validating that the controls were effective while producing no false positives.

Trade-offs & Context

The controls implemented in this experiment are intentionally conservative for a static website with no backend or authenticated functionality. While not strictly necessary for this deployment, they reflect standard defensive practices commonly applied to dynamic, client–server applications.

Applying these controls in a low-risk environment provided a safe way to understand their behavior, limitations, and potential impact without exposing sensitive systems.

Next Steps


  • Monitor firewall and bot events over a longer period to identify trends.
  • Refine rules if false positives or new scanning patterns emerge.
  • Extend validation to performance and accessibility impacts of security controls.
Return to Experiments Overview