diff --git a/CHANGELOG.md b/CHANGELOG.md
index e04c397..1133ba1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,31 @@ All notable changes to the Cookie Tracker are documented in this file.
 
 ---
 
+## 2026-02-09 (Security Hardening)
+
+### Enhancement: Security Headers and Rate Limiting
+
+**Commit:** `a4ef21d` — *Add security headers via helmet and improve rate limiting*
+
+Added `helmet` and `express-rate-limit` packages to harden the application against common web vulnerabilities flagged by security scanners (e.g. Nessus).
+
+**Server** (`server/index.js`):
+- Added `helmet()` middleware before all routes. This sets security headers: `Content-Security-Policy`, `X-Content-Type-Options: nosniff`, `X-Frame-Options: SAMEORIGIN`, `Strict-Transport-Security`, `Referrer-Policy: no-referrer`, and removes `X-Powered-By`.
+- Added a global API rate limiter on `/api` — 100 requests per minute per IP — using `express-rate-limit`. Returns standard `RateLimit-*` headers.
+
+**Server** (`server/routes/auth.js`):
+- Removed the hand-rolled in-memory rate limiter (~25 lines): `loginAttempts` Map, `isRateLimited()`, `recordAttempt()` functions, and per-request IP tracking/recording.
+- Replaced with a dedicated `express-rate-limit` instance applied as middleware on the `POST /login` route: 5 attempts per minute per IP. Same behavior, cleaner implementation.
+
+**Already solid (no changes needed):**
+- Session cookies: httpOnly, SameSite=lax, Secure in production
+- HMAC signing with timing-safe comparison
+- CSRF: SameSite=lax (the `csurf` package is deprecated)
+- SQL injection: parameterized queries throughout
+- XSS: React escapes output
+
+---
+
 ## 2026-02-09 (README Fix)
 
 ### Fix: Clone URL in Deployment Instructions