Defense in depth on a nonprofit budget
The full free-tier security map — and the one architectural fact that reorders every priority on it.
This is the capstone: the whole picture, assembled from free and low tiers. Row-level security on the database. A CAPTCHA on the doors that spend money. The five free firewall rules. App-level rate limits. Cached reads on object storage. Email authentication set to reject. Anomaly alerts that name names.
The fact that reorders everything
Draw the diagram and one thing jumps out. The endpoints that cost real money — the ones that call a model or send mail — talk to the backend directly, off the CDN zone. Which means none of the edge protections actually stand in front of the things you most need to protect, until you move them.
Defense in depth is only depth if the layers are on the path the attacker takes.
Free, Pro, and Enterprise, honestly
Most of this is free and genuinely good enough. Pro buys you more firewall rules and better analytics retention. Enterprise buys you Logpush and support. Know which tier each control needs before you promise the board it is handled.