In short, despite the Cloudflare plan we are using, I’d say using multiple ways and different types of available features available to us at Cloudflare dashboard.
First things first, make sure your DNS hostname for your domain (root, www, sub…) is proxied and set to .
If I may add here as a really good reference for further cases in terms of security and protection with Cloudflare from my colleague @jnperamo :
We can lock down our web host and allow only the Cloudflare to connect and similar techniques:
Well, depending on the attack type, if user-agents, crawlers, ASNs, etc., there are few I would recommend to add to your Firewall Rules, like the posted here:
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection: