diff --git a/.gitignore b/.gitignore
index 44b2c82..0bd3828 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@ helm/*.yaml
 !helm/*.sops.yaml
 !helm/*.yaml.template
 !helm/openbao-values.yaml
+!helm/openbao-middleware.yaml
 # Kubernetes manifests (no secrets) are safe to commit
 !helm/*-cluster.yaml
 !helm/*-networkpolicies.yaml
diff --git a/helm/openbao-middleware.yaml b/helm/openbao-middleware.yaml
new file mode 100644
index 0000000..52d448d
--- /dev/null
+++ b/helm/openbao-middleware.yaml
@@ -0,0 +1,38 @@
+# Traefik middlewares for OpenBao browser UI/API exposure.
+#
+# These names are referenced by helm/openbao-values.yaml as:
+#   openbao-openbao-rate-limit@kubernetescrd
+#   openbao-openbao-hsts@kubernetescrd
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: openbao-rate-limit
+  namespace: openbao
+  labels:
+    app.kubernetes.io/name: openbao
+    app.kubernetes.io/part-of: railiance-platform
+    railiance-platform/component: secrets
+spec:
+  rateLimit:
+    # The OpenBao browser UI performs a burst of API calls on load, including
+    # repeated /v1/sys/health checks. Keep this high enough for normal admin
+    # use while still bounding runaway clients.
+    average: 600
+    period: 1m
+    burst: 180
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: openbao-hsts
+  namespace: openbao
+  labels:
+    app.kubernetes.io/name: openbao
+    app.kubernetes.io/part-of: railiance-platform
+    railiance-platform/component: secrets
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
diff --git a/helm/openbao-values.yaml b/helm/openbao-values.yaml
index c17e81b..eaf301f 100644
--- a/helm/openbao-values.yaml
+++ b/helm/openbao-values.yaml
@@ -31,7 +31,23 @@ server:
       memory: 512Mi
 
   ingress:
-    enabled: false
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      traefik.ingress.kubernetes.io/router.middlewares: >-
+        openbao-openbao-rate-limit@kubernetescrd,
+        openbao-openbao-hsts@kubernetescrd
+    ingressClassName: traefik
+    pathType: Prefix
+    activeService: true
+    hosts:
+      - host: bao.coulomb.social
+        paths:
+          - /
+    tls:
+      - secretName: bao-tls
+        hosts:
+          - bao.coulomb.social
 
   authDelegator:
     enabled: true
diff --git a/scripts/openbao-verify-authenticated.sh b/scripts/openbao-verify-authenticated.sh
index 3ccbd85..2cf17ac 100755
--- a/scripts/openbao-verify-authenticated.sh
+++ b/scripts/openbao-verify-authenticated.sh
@@ -15,7 +15,7 @@ Usage: scripts/openbao-verify-authenticated.sh [--dry-run] [--use-token-helper]
 Runs authenticated, non-mutating OpenBao readiness checks:
   - audit list includes file/
   - secrets list includes platform/
-  - auth list includes kubernetes/ and keycape/
+  - auth list includes kubernetes/, netkingdom/, and keycape/
   - audit log exists and is non-empty
 
 The token is read from OPENBAO_TOKEN_FILE or an interactive hidden prompt. The
@@ -130,6 +130,7 @@ Path           Type
 ----           ----
 keycape/       oidc
 kubernetes/    kubernetes
+netkingdom/    oidc
 token/         token
 AUTH
         ;;
@@ -210,6 +211,7 @@ step "Auth methods"
 if auth_output="$(remote_bao "$token" auth list 2>&1)"; then
   printf '%s\n' "$auth_output"
   require_pattern "kubernetes/ auth method is visible" "$auth_output" '(^|[[:space:]])kubernetes/'
+  require_pattern "netkingdom/ auth method is visible" "$auth_output" '(^|[[:space:]])netkingdom/'
   require_pattern "keycape/ auth method is visible" "$auth_output" '(^|[[:space:]])keycape/'
 else
   printf '%s\n' "$auth_output" >&2