diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7fe5623bd..b62f498be 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -69,10 +69,12 @@
 - MSW handlers: reports, announcements, feature flags, maintenance
 - Swagger annotations: privacy opt-out, account deletion
 - Unit tests: CCPA, reports, announcements, feature flags handlers
+- DDoS rate limiting (SEC1-04): global 1000 req/s, per-IP 100 req/s, Redis sliding window 1s
+- AdminSettingsView: SETTINGS tab in AdminDashboardView (announcements, feature flags, maintenance)
 
 ### Changed
 - AdminSettingsView: local state replaced by API calls for maintenance, feature flags, announcements
-- AdminModerationView: mock replaced by GET /admin/reports, resolve via POST
+- AdminModerationView: mock replaced by GET /admin/reports, resolve via POST; actions aligned to dismiss/warn/ban
 
 ---
 
diff --git a/docs/API_REFERENCE.md b/docs/API_REFERENCE.md
index 771a3419a..f67119e4c 100644
--- a/docs/API_REFERENCE.md
+++ b/docs/API_REFERENCE.md
@@ -709,10 +709,22 @@ Request GDPR data export. Returns 202 Accepted; export runs asynchronously. User
 
 ## Security & Compliance (v0.803)
 
+### Security Headers (SEC1)
+
+All responses include: `Content-Security-Policy`, `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`. In production: `Strict-Transport-Security` (HSTS).
+
+### DDoS Rate Limiting (SEC1-04)
+
+Global: 1000 req/s. Per-IP: 100 req/s. Window: 1 second. Excluded: `/health`, `/swagger`, auth endpoints. Headers: `X-RateLimit-Limit`, `X-RateLimit-Remaining`.
+
 ### Audit Middleware
 
 All POST, PUT, DELETE requests are automatically logged to the audit service (user, action, resource, IP). Skipped paths: `/health`, `/metrics`, `/swagger`, `/api/v1/admin`.
 
+### API Keys (DEV1)
+
+Alternative to Bearer token: send `X-API-Key: veza_sk_...` header. Create via `POST /developer/api-keys`. Raw key returned only on create.
+
 ### CCPA / Sec-GPC
 
 When the client sends `Sec-GPC: 1` (Global Privacy Control), the server sets `do_not_sell=true` in context and responds with `GPC: 1`.
diff --git a/docs/FEATURE_STATUS.md b/docs/FEATURE_STATUS.md
index 5ee50e725..cc8932e7a 100644
--- a/docs/FEATURE_STATUS.md
+++ b/docs/FEATURE_STATUS.md
@@ -240,14 +240,22 @@ Voir [V0_703_RELEASE_SCOPE.md](V0_703_RELEASE_SCOPE.md) pour le détail.
 
 | Lot | Feature |
 |-----|---------|
-| SEC1 | Audit middleware : auto-log POST/PUT/DELETE |
+| SEC1 | Security headers : CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
+| SEC1 | DDoS rate limiting : global 1000 req/s, per-IP 100 req/s (Redis sliding window 1s) |
+| SEC2 | Audit : middleware auto-log POST/PUT/DELETE, migration audit_logs, GET /admin/audit/logs |
 | SEC2 | CCPA : Sec-GPC header, POST /users/me/privacy/opt-out |
-| SEC3 | Account deletion : anonymisation, S3 cleanup, session revocation |
-| ADM1 | Modération : reports CRUD, GET /admin/reports, POST /admin/reports/:id/resolve |
-| ADM2 | Maintenance mode : middleware 503, PUT/GET /admin/maintenance |
-| ADM3 | Annonces : CRUD, GET /announcements/active (public) |
-| ADM4 | Feature flags : DB persistence, GET/PUT /admin/feature-flags |
-| FE1 | AdminSettingsView, AdminModerationView, AnnouncementBanner connectés |
+| SEC2 | Account deletion : DELETE /users/me, anonymisation, S3 cleanup, session revocation |
+| DEV1 | OpenAPI/Swagger : GET /swagger/*, annotations handlers |
+| DEV1 | API keys : POST/GET/DELETE /developer/api-keys, auth via X-API-Key header |
+| ADM1 | Modération : reports CRUD, GET /admin/reports, POST /admin/reports/:id/resolve (dismiss, warn, ban) |
+| ADM1 | Maintenance mode : middleware 503, PUT/GET /admin/maintenance |
+| ADM1 | Annonces : CRUD admin, GET /announcements/active (public) |
+| ADM1 | Feature flags : DB persistence, GET/PUT /admin/feature-flags |
+| FE1 | AdminSettingsView (onglet SETTINGS) : maintenance, feature flags, annonces |
+| FE1 | AdminModerationView : actions dismiss/warn/ban alignées backend |
+| FE1 | AnnouncementBanner global, AccountSettingsDeleteCard (type DELETE to confirm) |
+
+Voir [V0_803_RELEASE_SCOPE.md](V0_803_RELEASE_SCOPE.md) pour le détail.
 
 ## Prévu en v0.403 (Phase 4 Commerce — suite)
 
diff --git a/docs/PLAN_V0_803_IMPLEMENTATION.md b/docs/PLAN_V0_803_IMPLEMENTATION.md
index dee9a1473..27d5c4d40 100644
--- a/docs/PLAN_V0_803_IMPLEMENTATION.md
+++ b/docs/PLAN_V0_803_IMPLEMENTATION.md
@@ -1,6 +1,6 @@
 # Plan d'implémentation v0.803 — Sécurité, Compliance & Outillage Dev
 
-**Statut** : En cours
+**Statut** : Terminé
 **Date de création** : 2026-02-25
 **Estimation révisée** : ~2 sprints (10 jours ouvrés) — réduit car beaucoup de features déjà partiellement implémentées
 
diff --git a/docs/PROJECT_STATE.md b/docs/PROJECT_STATE.md
index 3e1d36d1b..23324df5f 100644
--- a/docs/PROJECT_STATE.md
+++ b/docs/PROJECT_STATE.md
@@ -74,10 +74,14 @@
 - Sécurité : Trivy container scanning CI
 
 ### v0.803 (Phase 8 — Sécurité, Compliance & Outillage Dev)
-- Audit middleware HTTP (POST/PUT/DELETE auto-log)
+- Security headers (CSP, HSTS, X-Frame-Options, etc.)
+- DDoS rate limiting: global 1000 req/s, per-IP 100 req/s
+- Audit middleware HTTP (POST/PUT/DELETE auto-log), GET /admin/audit/logs
 - CCPA Sec-GPC, opt-out endpoint
 - Account deletion hardening (anonymisation, S3, sessions)
-- Moderation queue (reports CRUD)
+- Moderation queue (reports CRUD, actions dismiss/warn/ban)
+- Maintenance mode, announcements, feature flags
+- AdminSettingsView (onglet SETTINGS) : maintenance, feature flags, annonces
 - Maintenance mode (503, admin toggle)
 - Announcements CRUD, GET /announcements/active
 - Feature flags DB persistence