docs: document endpoint rate limits and fail2ban alert log

2026-02-15 13:48:34 +01:00 · 2026-02-15 13:48:34 +01:00 · 94cac9f467
commit 94cac9f467
parent e5324edddf
2 changed files with 18 additions and 0 deletions
--- a/docs/CLOUDPANEL_SETUP.md
+++ b/docs/CLOUDPANEL_SETUP.md
@ -44,6 +44,20 @@ location /api/ {
 }
 ```

+Endpoint-spezifisch (empfohlen):
+
+```nginx
+location = /api/spot/signal {
+  limit_req zone=staysense_signal burst=3 nodelay;
+  proxy_pass http://127.0.0.1:8787/spot/signal;
+}
+
+location /api/spot/score {
+  limit_req zone=staysense_score burst=25 nodelay;
+  proxy_pass http://127.0.0.1:8787/spot/score;
+}
+```
+
 ## Security Header (empfohlen)

 ```nginx
--- a/docs/OPERATIONS.md
+++ b/docs/OPERATIONS.md
@ -50,8 +50,12 @@ sudo systemctl restart staysense-api.service
 ## Hardening Snapshot

 - API-Rate-Limit aktiv auf `/api/` (`limit_req zone=limit burst=20 nodelay`)
+- Endpoint-spezifische Limits:
+  - `/api/spot/score`: `zone=staysense_score`, `burst=25`
+  - `/api/spot/signal`: `zone=staysense_signal`, `burst=3`
 - Security Header aktiv im vHost (`CSP`, `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`)
 - Fail2ban Jail aktiv:
  - Name: `nginx-staysense-limitreq`
  - Log: `/home/staysense-site/logs/nginx/error.log`
  - Ban bei wiederholten Rate-Limit-Verstoessen
+  - Alarm-Log: `/var/log/staysense-security.log`