we got quite some rules on various firewall levels, yes.
global rate-limits are tricky because they then block real users easily.
do you have recommendations?
Discussion
Can’t you sign something if you find the same user logged in in the browser session?
And if you find a webln send a 1 sat instead of captcha and if no webln some POW?
I usually set a fairly high threshold that a normal user wouldn't likely reach in terms of number of requests. That stops most false-positives, but catches a good bit of the malicious requests that are trying to flood the site.