it's honestly always the front page. Then limit_req that specific page and other comment attack URI. To something sensitive settings like 15 per seconds only. I may need to look into Nginx caching based on cookie. So when they are not logged in, it's...