Harden app security controls from audit

API.md

@@ -1,12 +1,14 @@
 # API Contract (auth-enabled)
 
 All endpoints are JSON. Most routes require the HttpOnly `player` cookie issued after register/login. Admin access is granted only via an authenticated admin user session (`IsAdmin=true` on the account).
+Auth and admin-sensitive routes are rate-limited and return HTTP `429` on excessive requests.
 
 ## Auth
-POST /api/auth/register — accepts optional `adminKey` to set `IsAdmin=true`  
+POST /api/auth/register — accepts optional `adminKey` to set `IsAdmin=true` only for bootstrap of the first admin account  
 POST /api/auth/login  
 POST /api/auth/logout
 Display names are set during registration and are immutable afterward.
+Passwords must be 8-128 chars and contain uppercase, lowercase, number, and symbol.
 
 ## State (requires auth)
 GET /api/state — returns currentPhase (for caller), votesFinal, resultsOpen, updatedAt, counts (players/suggestions/votes)  
@@ -41,3 +43,8 @@ POST /api/admin/link-suggestions — `{ sourceSuggestionId, targetSuggestionId }
 POST /api/admin/unlink-suggestions — `{ suggestionId }`; breaks links, clears votes for that group, unfinalizes **all** players  
 POST /api/admin/reset — `{ password }`; clear suggestions/votes, keep players, reset phases/vote-final flags  
 POST /api/admin/factory-reset — `{ password }`; wipe players, suggestions, votes, state
+
+## Security Defaults
+- Security headers are set on all responses (`CSP`, `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, `Permissions-Policy`).
+- In production, HTTPS redirection and HSTS are enabled.
+- Screenshot URL validation rejects private/reserved address ranges and pins outbound connections to validated public IPs.