I'm trying to conceptualize this and take the necessary precautions.. I have a company website with job openings -- there's no auth involved, each job listing has an application form that contains applicant information and resume file to be uploaded.

When submitted it calls a createCandidate action that has checks for form validation, existing candidate based on email, etc, which creates a record in the db. I then read this data in an admin dashboard / tracking system.

I want to go a step further and introduce some type of rate-limiting, bot protection. So I've been looking into arcjet and it seems like a solid solution. I guess I'm kinda looking for any input on gotchas, or other implementation that might be better suited for this situation.