I have a front end hosted on a shared server and an api backend hosted on a VPS. I’m looking at securing and mitigating attacks such as DDOS on front and back ends.
If I was to use Cloudflare for front-end, then my NS will be changed and users using address mysite.com will be directed to Cloudflare. Behind the scenes Cloadflare will communicate with my front-end host as and when needed. So my question is can a user bypass Cloudflare and target my hosted site directly - perhaps by knowing IP address?
Regarding the back-end, the API’s are designed to be accessed by only my front-ends. Authentication is built in but they are publicly available. Should a user discover these API’s they could attack them directly. Is there any way Cloudflare products can be used to prevent users attacking the back-end API’s ?