From 94cac9f46768e72e18f522f3c1532f026143716a Mon Sep 17 00:00:00 2001
From: Oliver G <oliver@giertz.biz>
Date: Sun, 15 Feb 2026 13:48:34 +0100
Subject: [PATCH] docs: document endpoint rate limits and fail2ban alert log

---
 docs/CLOUDPANEL_SETUP.md | 14 ++++++++++++++
 docs/OPERATIONS.md       |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/docs/CLOUDPANEL_SETUP.md b/docs/CLOUDPANEL_SETUP.md
index 37ac9d1..81d51d0 100644
--- a/docs/CLOUDPANEL_SETUP.md
+++ b/docs/CLOUDPANEL_SETUP.md
@@ -44,6 +44,20 @@ location /api/ {
 }
 ```
 
+Endpoint-spezifisch (empfohlen):
+
+```nginx
+location = /api/spot/signal {
+  limit_req zone=staysense_signal burst=3 nodelay;
+  proxy_pass http://127.0.0.1:8787/spot/signal;
+}
+
+location /api/spot/score {
+  limit_req zone=staysense_score burst=25 nodelay;
+  proxy_pass http://127.0.0.1:8787/spot/score;
+}
+```
+
 ## Security Header (empfohlen)
 
 ```nginx
diff --git a/docs/OPERATIONS.md b/docs/OPERATIONS.md
index 668db2a..2e55583 100644
--- a/docs/OPERATIONS.md
+++ b/docs/OPERATIONS.md
@@ -50,8 +50,12 @@ sudo systemctl restart staysense-api.service
 ## Hardening Snapshot
 
 - API-Rate-Limit aktiv auf `/api/` (`limit_req zone=limit burst=20 nodelay`)
+- Endpoint-spezifische Limits:
+  - `/api/spot/score`: `zone=staysense_score`, `burst=25`
+  - `/api/spot/signal`: `zone=staysense_signal`, `burst=3`
 - Security Header aktiv im vHost (`CSP`, `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`)
 - Fail2ban Jail aktiv:
   - Name: `nginx-staysense-limitreq`
   - Log: `/home/staysense-site/logs/nginx/error.log`
   - Ban bei wiederholten Rate-Limit-Verstoessen
+  - Alarm-Log: `/var/log/staysense-security.log`