diff --git a/README.md b/README.md
index 518faff..fedf4a6 100644
--- a/README.md
+++ b/README.md
@@ -455,8 +455,10 @@ Periodic `TLS/TCP socket error: Connection reset by peer` in coturn logs. Normal
 ### Hardening
 - [x] Rate limiting
 - [x] E2EE on all rooms (except Spam and Stuff — intentional for hookshot)
-- [x] coturn internal peer deny rules (blocks relay to RFC1918 except allowed subnet)
+- [x] coturn internal peer deny rules (blocks relay to RFC1918; `allowed-peer-ip` scoped to 10.10.10.29 only — LiveKit host)
+- [x] coturn TCP relay disabled (`no-tcp-relay=true`) — UDP only, reduces internal network SSRF risk
 - [x] coturn hardening: `stale-nonce=600`, `user-quota=100`, `total-quota=1000`, strong cipher list
+- [x] `rc_joins` and `rc_invites` rate limits explicitly set in homeserver.yaml
 - [x] `pg_hba.conf` locked down — remote access restricted to Synapse LXC only
 - [x] Federation open with key verification
 - [x] fail2ban on Synapse login endpoint (5 retries / 24h ban)