diff --git a/sso-mfa/k8s/privacyidea/configmap.yaml b/sso-mfa/k8s/privacyidea/configmap.yaml
index 0ee2e6f..cc5685b 100644
--- a/sso-mfa/k8s/privacyidea/configmap.yaml
+++ b/sso-mfa/k8s/privacyidea/configmap.yaml
@@ -43,3 +43,8 @@ data:
 
     # Scripts folder for event handlers (leave default unless customising).
     PI_SCRIPT_FOLDER = "/etc/privacyidea/scripts"
+
+    # Disable response signing — sign_response crashes on GET requests with
+    # Werkzeug 3.x because request.json raises BadRequest for empty bodies.
+    # The audit keys are still used for audit log signing.
+    PI_NO_RESPONSE_SIGN = True
diff --git a/sso-mfa/k8s/privacyidea/middleware.yaml b/sso-mfa/k8s/privacyidea/middleware.yaml
index 7117a6e..cc89c29 100644
--- a/sso-mfa/k8s/privacyidea/middleware.yaml
+++ b/sso-mfa/k8s/privacyidea/middleware.yaml
@@ -13,9 +13,9 @@
 # ── Rate limit — all PI endpoints ────────────────────────────────────────────
 # Applies globally to pink.coulomb.social.
 # Primary protection for /validate/check (OTP verification) and /auth.
-# 20 requests/minute per client IP; burst of 5 allowed.
-# Adjust average/burst upward if legitimate automation (e.g. Keycloak Provider)
-# triggers false positives — or exclude the Keycloak source IP at network level.
+# 200 requests/minute average; burst of 100 to allow the ~50 parallel static
+# asset requests the AngularJS UI fires on every page load.
+# TODO: split into a tight limit for /auth+/validate and a loose one for /static.
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -26,9 +26,9 @@ metadata:
     net-kingdom/component: mfa
 spec:
   rateLimit:
-    average: 20
+    average: 200
     period: 1m
-    burst: 5
+    burst: 100
 ---
 # ── Admin path allowlist — restrict WebUI to internal/VPN IPs ────────────────
 # Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).