...
To see all possible things you can configure, see implementation at /app/controllers/bot_detection_controller.rb
What paths are protected are configured here – we intend to include all search results. If you add more search results pages (alternate views of search-within collections, featured topics, etc) at new URLs, you will have to adjust this configuration to protect them!
You can configure the period and count before a challenge is triggered, and how long a ‘passed' challenge is good for before another challenge might be issued. You can configure what locations are protected by this check (those are the only locations that count for rate limit).
More sophisticatedly, we could change the buckets/keys for which rates are calculated – right now they are subnets; could instead take account of http headers, or information looked up about the client ip. We want the check to be quick though, since it happens on every request.