normally you are supposed to have an application firewall protecting any application server. This firewall can be before or after the web server. In that case you would run a proxy server, such as Nginx, before 4D Server, allowing 4D only to get access from this proxy, which is already protected.
This is not only true for 4D, but the normal way to work for any application server.
On 4D side you can try to reduce impact, but only reduce.
As Keisuke wrote, you can limit the number of parallel access.
Don’t forget to limit the largest allowed upload. 4D by default allows 2 GB upload. Now imagine only 20 processes requesting a 2 GB upload - 40 GB RAM blocked, computer blocked…
If you don’t need large file upload, limit that to 1 MB or similar.
Then you need to check if parameter you receive for valid data and reject stupid requests.
Sorting by street name? Could take a while for not indexed fields for large selections, so don’t allow it. And so on. You need to create a white list of allowed answers.
Looks like a lot of work? Yes, that’s normally the job of an application firewall, allowing only good requests, refusing stupid (=need too much time) requests.
If your Web server code is not yet running preemptive, you need to be even more restrictive.