diff --git a/main.go b/main.go
index b58485b..cb8d604 100644
--- a/main.go
+++ b/main.go
@@ -8,6 +8,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -59,6 +60,8 @@ func wsHandler(w http.ResponseWriter, r *http.Request) {
 
 	var buffer string
 	var lastPress time.Time
+	var messageCount int
+	startTime := time.Now()
 
 	for {
 		var keyPress KeyPress
@@ -73,6 +76,15 @@ func wsHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		lastPress = now
 
+		messageCount++
+		if messageCount > 1000 || now.Sub(startTime) > 10*time.Minute {
+			break
+		}
+
+		if len(keyPress.Key) > 1 {
+			continue
+		}
+
 		buffer += keyPress.Key
 
 		if len(buffer) > 20 {
@@ -143,11 +155,33 @@ func wsHandler(w http.ResponseWriter, r *http.Request) {
 func trollingHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Header().Set("Server", "0BSD_FOR_EVERYONE")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "DENY")
+	w.Header().Set("Referrer-Policy", "no-referrer")
 
-	fileContent, err := os.ReadFile("files/trolling.gif")
+	filePath := filepath.Clean("files/trolling.gif")
+	if !strings.HasPrefix(filePath, "files/") {
+		http.Error(w, "Forbidden", http.StatusForbidden)
+		return
+	}
+
+	fileInfo, err := os.Stat(filePath)
 	if err != nil {
 		log.Printf("Ошибка чтения файла: %v", err)
-		fileContent = []byte("Файл не найден")
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
+
+	if fileInfo.Size() > 10*1024*1024 {
+		http.Error(w, "File too large", http.StatusRequestEntityTooLarge)
+		return
+	}
+
+	fileContent, err := os.ReadFile(filePath)
+	if err != nil {
+		log.Printf("Ошибка чтения файла: %v", err)
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
 	}
 
 	base64Content := base64.StdEncoding.EncodeToString(fileContent)
@@ -157,6 +191,7 @@ func trollingHandler(w http.ResponseWriter, r *http.Request) {
 <html>
 <head>
     <title>Trolling</title>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src data:;">
     <style>
         body {
             background-color: #000;
@@ -185,6 +220,8 @@ func trollingHandler(w http.ResponseWriter, r *http.Request) {
 func statusHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 	w.Header().Set("Server", "0BSD_FOR_EVERYONE")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "DENY")
 
 	openbsdBirth := time.Date(1995, 10, 1, 0, 0, 0, 0, time.UTC)
 	now := time.Now()
@@ -212,6 +249,8 @@ func handler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("X-Powered-By", "0BSD_FOR_EVERYONE")
 	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("Referrer-Policy", "no-referrer")
+	w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';")
 
 	html := `
 <!DOCTYPE html>
@@ -290,11 +329,12 @@ func main() {
 			mux.HandleFunc("/trolling", gzipHandler(trollingHandler))
 
 			server := &http.Server{
-				Addr:         ":" + p,
-				Handler:      mux,
-				ReadTimeout:  30 * time.Second,
-				WriteTimeout: 30 * time.Second,
-				IdleTimeout:  60 * time.Second,
+				Addr:           ":" + p,
+				Handler:        mux,
+				ReadTimeout:    30 * time.Second,
+				WriteTimeout:   30 * time.Second,
+				IdleTimeout:    60 * time.Second,
+				MaxHeaderBytes: 1 << 20,
 			}
 
 			log.Printf("Сервер запущен на порту %s", p)
