It sounds to me like you are at the mercy of the bots then unfortunately. I have had literal empty websites up just to see what the bots do and within a few hours the sites are hammered with crazy bot traffic trying everything from MySQL connections, ssh, Wordpress sniffing, xss attacks, you name it. They don’t even seem to care that the site is 403 forbidden or just a blank page.

It’s the World Wide Web we live in nowadays according to my experience.

I try not to expose mine to the internet for this reason. I have it on a central server that WireGuard connects to a vps overseas, then I have it tunneled to my home server through a random port as needed for access from the net, then I block it again. All my machines sync this way with the central server, either through vpn tunnel or directly on my LAN depending on where I am.

Unless you need to showcase your code, I wouldn’t recommend exposing your instance to the internet at all. And if you have to, maybe reverse proxying it and add some monitoring and blocking software to help. Like fail2ban or the like. Good luck.