2026-03-17 21:29:26Claude (MCP):
[mcp] Mark security headers as deployed, separate rate limiting as remaining item
To-Do.md ..
@@ 111,8 111,10 @@
### Backup verification
No tested restore path exists. Minimal local test: pull a backup, run integrity checks on each DB, verify schema matches.
-
### Rate limiting + security headers
-
No rate limiting on any endpoint; no security response headers. Both handled in Caddy. **Plan at [[Plans/Rate_Limiting_And_Security_Headers]].** Phase 1 (headers only) can deploy immediately. Phase 2 (rate limiting) requires xcaddy rebuild with rate_limit module.
+
### Rate limiting + ~~security headers~~
+
~~No security response headers.~~ ✅ DEPLOYED (2026-03-17) — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy applied globally to all `*.robot.wtf` traffic via Caddy `(security_headers)` snippet. See [[Plans/Rate_Limiting_And_Security_Headers]].
+
+
**Rate limiting** still needed. No rate limiting on any endpoint. Plan at [[Plans/Rate_Limiting_And_Security_Headers]] Phase 2.
