diff --git a/notes/0000-how-this-was-built.md b/notes/0000-how-this-was-built.md
index d71e44d..efa03a8 100644
--- a/notes/0000-how-this-was-built.md
+++ b/notes/0000-how-this-was-built.md
@@ -150,17 +150,33 @@ data:
           log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                           '$status $body_bytes_sent "$http_referer" '
                           '"$http_user_agent" "$http_x_forwarded_for"';
-          access_log	/var/log/nginx/access.log main;
+          access_log    /var/log/nginx/access.log main;
+
+          limit_req_zone $binary_remote_addr zone=req_limit_per_ip:1m rate=1r/s;
+
           server {
               listen       80;
               server_name  vlads-notes.jumpingcrab.com;
               root   /www/data;
               index  index.html;
               error_page 404 /404.html;
+              server_tokens off;
 
               include       mime.types;
 
+              add_header X-Content-Type-Options nosniff;
+              add_header X-Frame-Options DENY;
+              add_header X-XSS-Protection "1; mode=block";
+              add_header Referrer-Policy "no-referrer-when-downgrade";
+
+              location ~ /\. {
+                  deny all;
+                  access_log off;
+                  log_not_found off;
+              }
+
               location / {
+                  limit_req zone=req_limit_per_ip burst=5 nodelay;
                   try_files $uri $uri.html $uri/ =404;
               }
           }
@@ -281,4 +297,4 @@ jobs:
 #### Troubleshooting
 
 Compared to Gitlab CI, I think Actions is simpler to use but it has its quirks - the main difficulty I found was around sharing artifacts between jobs. The latest (v4) upload-artifact and download-artifact actions are not supported for some reason, so I had to rely on the deprecated v3 version.
-Aside from that I encountered some issues with "kubectl cp" command as it could not preserve the original file permissions when copying the Quartz files into the PVC - I had to copy them to a temp location and change their ownership to UID 1000 and GID 1000 as the NFS PVC did not allow files owned by root (UID 0, GID 0).
\ No newline at end of file
+Aside from that I encountered some issues with "kubectl cp" command as it could not preserve the original file permissions when copying the Quartz files into the PVC - I had to copy them to a temp location and change their ownership to UID 1000 and GID 1000 as the NFS PVC did not allow files owned by root (UID 0, GID 0).