Update documentation with security and testing information

README.md:
- Add comprehensive API endpoint documentation with admin routes
- Update security section with detailed protections and limits
- Add rate limiting, input validation, and authentication details
- Include testing information (125+ tests, 76% coverage)
- Update technology stack with TypeScript and security features

CLAUDE.md:
- Add detailed testing coverage information
- Document security features in API endpoints section
- Update key design patterns with security-by-design and testing
- Include input validation limits and rate limiting details
- Clarify admin-only DELETE functionality

Both files now accurately reflect:
- Current security implementations
- Comprehensive test suite
- TypeScript architecture
- Rate limiting and input validation
- Admin authentication requirements

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

README.md

@@ -114,16 +114,32 @@ See `docs/deployment.md` for detailed manual deployment instructions.
 
 ## API Endpoints
 
+### Public Endpoints
 - `GET /api/locations` - Get active location reports
-- `POST /api/locations` - Submit new location report
+- `POST /api/locations` - Submit new location report (rate limited: 10/15min per IP)
 - `GET /api/config` - Get API configuration
+
+### Admin Endpoints (Authentication Required)
 - `GET /admin` - Admin panel (password protected)
+- `GET /api/admin/locations` - Get all location reports
+- `PUT /api/admin/locations/:id` - Update location report
+- `PATCH /api/admin/locations/:id/persistent` - Toggle persistent status
+- `DELETE /api/admin/locations/:id` - Delete location report
+- `GET /api/admin/profanity-words` - Manage profanity filter
+- `POST /api/admin/profanity-words` - Add custom profanity word
+- `PUT /api/admin/profanity-words/:id` - Update profanity word
+- `DELETE /api/admin/profanity-words/:id` - Delete profanity word
+
+### API Documentation
+Interactive API documentation available at `/api-docs` when running the server.
 
 ## Technology Stack
 
-- **Backend:** Node.js, Express.js, SQLite
+- **Backend:** Node.js, Express.js, SQLite, TypeScript
 - **Frontend:** Vanilla JavaScript, Leaflet.js
 - **Geocoding:** MapBox API (with Nominatim fallback)
+- **Security:** Rate limiting, input validation, authentication
+- **Testing:** Jest, TypeScript, 125+ tests with 76% coverage
 - **Reverse Proxy:** Caddy (automatic HTTPS)
 - **Database:** SQLite (lightweight, serverless)
 
@@ -137,10 +153,19 @@ See `docs/deployment.md` for detailed manual deployment instructions.
 
 ## Security
 
-- API keys are stored in environment variables
-- Admin routes are password protected
-- Database queries use parameterized statements
-- HTTPS enforced in production
+- **Authentication:** Admin routes protected with bearer token authentication
+- **Rate Limiting:** Public endpoints limited to prevent abuse (10 requests/15min per IP)
+- **Input Validation:** Strict length limits and type checking on all user inputs
+- **Data Protection:** API keys stored in environment variables only
+- **Database Security:** Parameterized queries prevent SQL injection
+- **Content Filtering:** Built-in profanity filter with custom word management
+- **HTTPS:** Enforced in production via Caddy reverse proxy
+- **Audit Logging:** Suspicious activity and abuse attempts are logged
+
+### Input Limits
+- **Address:** Maximum 500 characters
+- **Description:** Maximum 1000 characters
+- **Submissions:** 10 per 15 minutes per IP address
 
 ## License