diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1133ba1..bdbb7a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,20 @@ All notable changes to the Cookie Tracker are documented in this file.
 
 ---
 
+## 2026-02-09 (404 Fix)
+
+### Bugfix: Return Proper 404s for Non-Existent Routes
+
+**Commit:** `5074f3d` — *Return proper 404s for unmatched API routes and static files*
+
+**Problem**: Nessus flagged that requesting a non-existent page returned a 200 with `index.html` instead of a proper 404. The SPA catch-all (`app.get('*')`) was serving `index.html` for everything — including unmatched `/api/*` routes and non-existent static files like `/foo.js`.
+
+**Fix** (`server/index.js`):
+- Added a `/api` catch-all after all API route mounts that returns `404 JSON` (`{"error":"Not found"}`) for any unmatched API route. When auth is enabled, unauthenticated requests to non-existent API routes return 401 (the auth middleware intercepts before the 404 handler, avoiding route enumeration).
+- Modified the SPA fallback to check `path.extname(req.path)` — requests with a file extension (e.g. `/foo.js`, `/missing.css`) now return a real 404 instead of `index.html`. Only extensionless navigation requests (e.g. `/orders`, `/customers/5`) serve `index.html` for React Router.
+
+---
+
 ## 2026-02-09 (Security Hardening)
 
 ### Enhancement: Security Headers and Rate Limiting