Further to this I’d agree about adding something like Cloudflare (though that often causes other issues, like with custom domain SSL verification or getting a client’s actual IP/country as the request now has to pass through an extra proxy). Definitely test it first to check it doesn’t break somthing.
I recall Fly mentioning it but I’m not sure what the current protection is: