diff --git a/keys.nix b/keys.nix
index 538238b..2519d61 100644
--- a/keys.nix
+++ b/keys.nix
@@ -9,10 +9,12 @@ rec {
     arda =
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAyTREGZCOzMsl7N9dp1saN/t7DCs7YesusVUKApMJ78";
     sid = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPl3/6RlR6Rvz0ZRyZukzFtt4zUYNz5OVuTsajJl7V3n";
+    alastair =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJArH3PA+bFIon0JkCVQGs9aWr45lnVjiiTLLO9BPItn";
   };
 
   roles = with keys; {
-    infra = [ st0x-op ci sid ];
-    ssh = [ st0x-op ci arda sid ];
+    infra = [ st0x-op ci sid alastair ];
+    ssh = [ st0x-op ci arda sid alastair ];
   };
 }
diff --git a/os.nix b/os.nix
index 76d0686..ae314e7 100644
--- a/os.nix
+++ b/os.nix
@@ -99,11 +99,42 @@ in {
       enable = true;
       recommendedTlsSettings = true;
       recommendedProxySettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+
+      # Rate-limit zone: 10 req/s per IP, burst 20
+      appendHttpConfig = ''
+        limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
+      '';
+
       virtualHosts."api.st0x.io" = {
         enableACME = true;
         forceSSL = true;
+
+        extraConfig = ''
+          # Security headers
+          add_header X-Content-Type-Options "nosniff" always;
+          add_header X-Frame-Options "DENY" always;
+          add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+          # Limit request body size (API payloads are small)
+          client_max_body_size 1m;
+        '';
+
+        # Block common exploit scanners (PHP, Docker, ThinkPHP, etc.)
+        locations."~* \\.(php|asp|aspx|jsp|cgi)$" = {
+          return = "444";
+        };
+        locations."~* ^/(containers|_ignition|vendor|public/index)" = {
+          return = "444";
+        };
+
         locations."/" = {
           proxyPass = "http://127.0.0.1:8000";
+          extraConfig = ''
+            limit_req zone=api burst=20 nodelay;
+            limit_req_status 429;
+          '';
         };
       };
     };