>>106312928
Here the data from cloudflare itself.

If you are fine with 10min downtime, 90% of L3/L4 DDoS attacks won't bother you. If you are ok with up to an hour, none of them will bother you.
You just have to make sure that you recover automatically. Not that it crashes the server and you have to manually restart.

HTTP request floods are the thing you have to worry about, because they can last for days, depending on how little is needed to put you down.
Basically, rate-limiting on the webserver level and detecting of botched requests on the application level and triggering a firewall block. Which is what fail2ban or csf / lfd is for.
And don't have unreasonably expensive http endpoints in the first place.