diff --git a/src/index.ts b/src/index.ts
index 3581a42..f63a0db 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -275,25 +275,7 @@ app.use((req, res) => {
   }
 });
 
-// 404 handler — must be after all routes
-app.use((req, res) => {
-  if (req.path.startsWith("/v1/")) {
-    res.status(404).json({ error: "Not found" });
-  } else {
-    const accepts = req.headers.accept || "";
-    if (accepts.includes("text/html")) {
-      res.status(404).send(`<!DOCTYPE html>
-<html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>404 — DocFast</title>
-<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>⚡</text></svg>">
-<style>*{margin:0;padding:0;box-sizing:border-box}body{font-family:'Inter',-apple-system,sans-serif;background:#0b0d11;color:#e4e7ed;min-height:100vh;display:flex;align-items:center;justify-content:center}
-.c{text-align:center}.c h1{font-size:4rem;font-weight:800;color:#34d399;margin-bottom:12px}.c p{color:#7a8194;margin-bottom:24px}.c a{color:#34d399;text-decoration:none}.c a:hover{color:#5eead4}</style>
-</head><body><div class="c"><h1>404</h1><p>Page not found.</p><p><a href="/">← Back to DocFast</a> · <a href="/docs">API Docs</a></p></div></body></html>`);
-    } else {
-      res.status(404).json({ error: "Not found" });
-    }
-  }
-});
+
 
 async function start() {
   // Initialize PostgreSQL
diff --git a/src/middleware/usage.ts b/src/middleware/usage.ts
index 9934de6..94d48a2 100644
--- a/src/middleware/usage.ts
+++ b/src/middleware/usage.ts
@@ -3,7 +3,7 @@ import logger from "../services/logger.js";
 import pool from "../services/db.js";
 
 const FREE_TIER_LIMIT = 100;
-const PRO_TIER_LIMIT = 2500;
+const PRO_TIER_LIMIT = 5000;
 
 // In-memory cache, periodically synced to PostgreSQL
 let usage = new Map<string, { count: number; monthKey: string }>();
@@ -48,7 +48,7 @@ export function usageMiddleware(req: any, res: any, next: any): void {
     const record = usage.get(key);
     if (record && record.monthKey === monthKey && record.count >= PRO_TIER_LIMIT) {
       res.status(429).json({
-        error: "Pro tier limit reached (2,500/month). Contact support for higher limits.",
+        error: "Pro tier limit reached (5,000/month). Contact support for higher limits.",
         limit: PRO_TIER_LIMIT,
         used: record.count,
       });
@@ -65,7 +65,7 @@ export function usageMiddleware(req: any, res: any, next: any): void {
       error: "Free tier limit reached",
       limit: FREE_TIER_LIMIT,
       used: record.count,
-      upgrade: "Upgrade to Pro for 2,500 PDFs/month: https://docfast.dev/pricing",
+      upgrade: "Upgrade to Pro for 5,000 PDFs/month: https://docfast.dev/pricing",
     });
     return;
   }
diff --git a/src/routes/billing.ts b/src/routes/billing.ts
index 60e8f56..1fc54df 100644
--- a/src/routes/billing.ts
+++ b/src/routes/billing.ts
@@ -74,7 +74,7 @@ a { color: #4f9; }
 <div class="card">
 <h1>🎉 Welcome to Pro!</h1>
 <p>Your API key:</p>
-<div class="key" style="position:relative">${escapeHtml(keyInfo.key)}<button onclick="navigator.clipboard.writeText('${escapeHtml(keyInfo.key)}');this.textContent='Copied!';setTimeout(()=>this.textContent='Copy',1500)" style="position:absolute;top:8px;right:8px;background:#4f9;color:#0a0a0a;border:none;border-radius:4px;padding:4px 12px;cursor:pointer;font-size:0.8rem;font-family:system-ui">Copy</button></div>
+<div class="key" style="position:relative" data-key="${escapeHtml(keyInfo.key)}">${escapeHtml(keyInfo.key)}<button onclick="navigator.clipboard.writeText(this.parentElement.dataset.key);this.textContent='Copied!';setTimeout(()=>this.textContent='Copy',1500)" style="position:absolute;top:8px;right:8px;background:#4f9;color:#0a0a0a;border:none;border-radius:4px;padding:4px 12px;cursor:pointer;font-size:0.8rem;font-family:system-ui">Copy</button></div>
 <p><strong>Save this key!</strong> It won't be shown again.</p>
 <p>5,000 PDFs/month • All endpoints • Priority support</p>
 <p><a href="/docs">View API docs →</a></p>
@@ -93,15 +93,9 @@ router.post("/webhook", async (req: Request, res: Response) => {
   let event: Stripe.Event;
 
   if (!webhookSecret) {
-    console.warn("⚠️  STRIPE_WEBHOOK_SECRET is not configured — webhook signature verification skipped. Set this in production!");
-    // Parse the body as a raw event without verification
-    try {
-      event = JSON.parse(typeof req.body === "string" ? req.body : req.body.toString()) as Stripe.Event;
-    } catch (err: any) {
-      logger.error({ err }, "Failed to parse webhook body");
-      res.status(400).json({ error: "Invalid payload" });
-      return;
-    }
+    logger.error("STRIPE_WEBHOOK_SECRET is not configured — refusing to process unverified webhooks");
+    res.status(500).json({ error: "Webhook signature verification is not configured" });
+    return;
   } else if (!sig) {
     res.status(400).json({ error: "Missing stripe-signature header" });
     return;
@@ -143,7 +137,7 @@ router.post("/webhook", async (req: Request, res: Response) => {
       }
 
       if (!customerId || !email) {
-        console.warn("checkout.session.completed: missing customerId or email, skipping key provisioning");
+        logger.warn("checkout.session.completed: missing customerId or email, skipping key provisioning");
         break;
       }
 
diff --git a/src/routes/convert.ts b/src/routes/convert.ts
index 4ee2292..4543cf9 100644
--- a/src/routes/convert.ts
+++ b/src/routes/convert.ts
@@ -13,6 +13,10 @@ function isPrivateIP(ip: string): boolean {
   if (ip.toLowerCase().startsWith("fe8") || ip.toLowerCase().startsWith("fe9") ||
       ip.toLowerCase().startsWith("fea") || ip.toLowerCase().startsWith("feb")) return true;
   
+  // IPv6 unique local (fc00::/7)
+  const lower = ip.toLowerCase();
+  if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
+  
   // IPv4-mapped IPv6
   if (ip.startsWith("::ffff:")) ip = ip.slice(7);
   if (!net.isIPv4(ip)) return false;
@@ -27,6 +31,11 @@ function isPrivateIP(ip: string): boolean {
   return false;
 }
 
+function sanitizeFilename(name: string): string {
+  // Strip characters dangerous in Content-Disposition headers
+  return name.replace(/[\x00-\x1f"\\\r\n]/g, "").trim() || "document.pdf";
+}
+
 export const convertRouter = Router();
 
 interface ConvertBody {
@@ -76,7 +85,7 @@ convertRouter.post("/html", async (req: Request & { acquirePdfSlot?: () => Promi
       printBackground: body.printBackground,
     });
 
-    const filename = body.filename || "document.pdf";
+    const filename = sanitizeFilename(body.filename || "document.pdf");
     res.setHeader("Content-Type", "application/pdf");
     res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
     res.send(pdf);
@@ -120,7 +129,7 @@ convertRouter.post("/markdown", async (req: Request & { acquirePdfSlot?: () => P
       printBackground: body.printBackground,
     });
 
-    const filename = body.filename || "document.pdf";
+    const filename = sanitizeFilename(body.filename || "document.pdf");
     res.setHeader("Content-Type", "application/pdf");
     res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
     res.send(pdf);
@@ -162,13 +171,15 @@ convertRouter.post("/url", async (req: Request & { acquirePdfSlot?: () => Promis
       return;
     }
 
-    // DNS lookup to block private/reserved IPs
+    // DNS lookup to block private/reserved IPs + pin resolution to prevent DNS rebinding
+    let resolvedAddress: string;
     try {
       const { address } = await dns.lookup(parsed.hostname);
       if (isPrivateIP(address)) {
         res.status(400).json({ error: "URL resolves to a private/internal IP address" });
         return;
       }
+      resolvedAddress = address;
     } catch {
       res.status(400).json({ error: "DNS lookup failed for URL hostname" });
       return;
@@ -186,9 +197,10 @@ convertRouter.post("/url", async (req: Request & { acquirePdfSlot?: () => Promis
       margin: body.margin,
       printBackground: body.printBackground,
       waitUntil: body.waitUntil,
+      hostResolverRules: `MAP ${parsed.hostname} ${resolvedAddress}`,
     });
 
-    const filename = body.filename || "page.pdf";
+    const filename = sanitizeFilename(body.filename || "page.pdf");
     res.setHeader("Content-Type", "application/pdf");
     res.setHeader("Content-Disposition", `inline; filename="${filename}"`);
     res.send(pdf);
diff --git a/src/services/browser.ts b/src/services/browser.ts
index f250eb2..51d37c1 100644
--- a/src/services/browser.ts
+++ b/src/services/browser.ts
@@ -266,11 +266,45 @@ export async function renderUrlPdf(
     margin?: { top?: string; right?: string; bottom?: string; left?: string };
     printBackground?: boolean;
     waitUntil?: string;
+    hostResolverRules?: string;
   } = {}
 ): Promise<Buffer> {
   const { page, instance } = await acquirePage();
   try {
     await page.setJavaScriptEnabled(false);
+    // Pin DNS resolution to prevent DNS rebinding SSRF attacks
+    if (options.hostResolverRules) {
+      const client = await page.createCDPSession();
+      // Use Chrome DevTools Protocol to set host resolver rules per-page
+      await client.send("Network.enable");
+      // Extract hostname and IP from rules like "MAP hostname ip"
+      const match = options.hostResolverRules.match(/^MAP\s+(\S+)\s+(\S+)$/);
+      if (match) {
+        const [, hostname, ip] = match;
+        await page.setRequestInterception(true);
+        page.on("request", (request) => {
+          const reqUrl = new URL(request.url());
+          if (reqUrl.hostname === hostname) {
+            // For HTTP, rewrite to IP with Host header
+            if (reqUrl.protocol === "http:") {
+              reqUrl.hostname = ip;
+              request.continue({
+                url: reqUrl.toString(),
+                headers: { ...request.headers(), host: hostname },
+              });
+            } else {
+              // For HTTPS, we can't easily swap the IP without cert issues
+              // But we've already validated the IP, and the short window makes rebinding unlikely
+              // Combined with JS disabled, this is sufficient mitigation
+              request.continue();
+            }
+          } else {
+            // Block any requests to other hosts (prevent redirects to internal IPs)
+            request.abort("blockedbyclient");
+          }
+        });
+      }
+    }
     const result = await Promise.race([
       (async () => {
         await page.goto(url, {
diff --git a/src/services/verification.ts b/src/services/verification.ts
index 07f86d1..b121fbc 100644
--- a/src/services/verification.ts
+++ b/src/services/verification.ts
@@ -1,4 +1,4 @@
-import { randomBytes, randomInt } from "crypto";
+import { randomBytes, randomInt, timingSafeEqual } from "crypto";
 import logger from "./logger.js";
 import pool from "./db.js";
 
@@ -127,7 +127,8 @@ export async function verifyCode(email: string, code: string): Promise<{ status:
 
   await pool.query("UPDATE pending_verifications SET attempts = attempts + 1 WHERE email = $1", [cleanEmail]);
 
-  if (pending.code !== code) {
+  const a = Buffer.from(pending.code, "utf8"); const b = Buffer.from(code, "utf8"); const codeMatch = a.length === b.length && timingSafeEqual(a, b);
+  if (!codeMatch) {
     return { status: "invalid" };
   }