Also open browser DevTools → Console on the wiki to confirm no CSP violations are logged.
-
## Phase 2: Rate Limiting (requires xcaddy)
+
## Phase 2: Rate Limiting
### The problem
-
Standard Caddy Debian package has no rate limiting module. Need to build with `xcaddy build --with github.com/mholt/caddy-ratelimit`.
+
Standard Caddy Debian package has no rate limiting module. `caddy add-package` is not viable (doesn't survive `apt upgrade`, slated for removal from Caddy core). Instead, rate limiting is split across layers:
+
+
- **Flask-Limiter** in the app for per-route, per-IP limits (login, OAuth, API)
+
- **fail2ban** on proxy-1 for reactive IP banning after auth failures (already running)
+
- **nftables** as a volumetric DoS backstop (optional, future)
