You will have to block a bunch of hosting (ASN) on CF as well as TOR, VPNs, ETC.
Protect critical addresses with page rules such as “I’m under attack” on the appropriate pattern
and do a bunch of what’s listed here
CF had to react if you did everything right
or you have a security flaw somewhere
or you have a designed website in such a way that everything is no cache must revalidate blah blah.
you can put this in .htaccess on this hosting
so that only the CF IPs has access to the origin (if someone wants to bypass it)
#(Oxy Dac) Only Localhost and Cloudflare
Require ip 127.0.0.1
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 104.16.0.0/13
Require ip 104.24.0.0/14
Require ip 108.162.192.0/18
Require ip 131.0.72.0/22
Require ip 141.101.64.0/18
Require ip 162.158.0.0/15
Require ip 172.64.0.0/13
Require ip 173.245.48.0/20
Require ip 188.114.96.0/20
Require ip 190.93.240.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32