# Tasks: Expand Rate Limiting

## 1. Configuration
- [x] 1.1 Define rate limit tiers in config (standard, sensitive, heavy)
- [x] 1.2 Standard: 60/minute, Sensitive: 20/minute, Heavy: 5/minute
- [x] 1.3 Add environment variable overrides for rate limits

## 2. Task API Rate Limiting
- [x] 2.1 Apply "standard" rate limit to POST /api/tasks
- [x] 2.2 Apply "standard" rate limit to PATCH /api/tasks/{id}
- [x] 2.3 Apply "heavy" rate limit to bulk task operations

## 3. Report API Rate Limiting
- [x] 3.1 Apply "heavy" rate limit to POST /api/reports/generate
- [x] 3.2 Apply "sensitive" rate limit to report export endpoints

## 4. Other Sensitive Endpoints
- [x] 4.1 Apply "sensitive" rate limit to password change endpoint (N/A - uses external auth)
- [x] 4.2 Apply "sensitive" rate limit to attachment upload
- [x] 4.3 Apply "standard" rate limit to comment creation

## 5. Response Headers
- [x] 5.1 Include X-RateLimit-Limit header in responses
- [x] 5.2 Include X-RateLimit-Remaining header
- [x] 5.3 Include X-RateLimit-Reset header

## 6. Testing
- [x] 6.1 Test rate limit enforcement
- [x] 6.2 Test rate limit reset after window
- [x] 6.3 Verify 429 Too Many Requests response