I would like to suggest adding the ability to set your own header for http requests from mobile devices.
After reading this thread, I realized that the best protection right now is VPN.
But having a VPN on all the time for the sake of HA is such a shame…
And let’s be honest IP ban is not the solution.
A custom header will allow to drop traffic on balancer (haproxy, nginx), which will give some kind of 99% security with https traffic of course.
I think adding the ability to connect your own header in the http client in mobile apps is not the hardest task.