Not sure if I communicated what I meant. I think if I was going to set up something using a headless CMS, I would integrate it with a project like React Static. When a user publishes something in the CMS, it would trigger a build of the generator that would result in putting some files out in S3 or something equivalent.

That way if you see a traffic spike or a DDoS attack, it's directed only towards static files on S3 and you can let Amazon take care of it. I don't want to be too critical of how people have things set up because I'm sure they have their reasons, but that said I don't think a page request on your site should map directly to an API request to the CMS.