document encryption enforcement options

documentation/api.md

@@ -220,10 +220,12 @@ Password protected content
 
 **Size Limits:**
 - Minimum: disabled by default (`FLASKPASTE_MIN_SIZE`, e.g. 64 bytes for encryption enforcement)
+- Anonymous: 3 MiB (configurable via `FLASKPASTE_MAX_ANON`)
 - Authenticated: 50 MiB (configurable via `FLASKPASTE_MAX_AUTH`)
 
 ---
 
+### GET /{id}
 
 ### HEAD /{id}
 
@@ -575,6 +577,50 @@ export FLASKPASTE_MIN_ENTROPY_SIZE=256 # Only check content >= this size (defaul
 **How it works:**
 - Content is checked for magic bytes (PNG, JPEG, PDF, ZIP, etc.)
 - Content is checked for valid UTF-8 text
+- Recognized formats are rejected with 400
+- Only application/octet-stream (unrecognizable binary) is allowed
+
+**Configuration:**
+```bash
+export FLASKPASTE_REQUIRE_BINARY=1  # Reject recognizable formats (0=disabled)
+```
+
+**Response (400 Bad Request):**
+```json
+{
+  "error": "Recognizable format not allowed",
+  "detected": "text/plain",
+  "hint": "Encrypt content before uploading (-e flag in fpaste)"
+}
+```
+
+**Detected formats:**
+- `text/plain` (valid UTF-8 text)
+- `image/png`, `image/jpeg`, `image/gif`, `image/webp`
+- `application/pdf`, `application/zip`, `application/gzip`
+
+**vs Entropy enforcement:**
+| Method | Detects | False positives |
+|--------|---------|-----------------|
+| Entropy | Random-looking data | Compressed files pass |
+| Binary | No magic bytes + invalid UTF-8 | Minimal |
+
+Use both together for maximum encryption enforcement:
+```bash
+export FLASKPASTE_REQUIRE_BINARY=1
+export FLASKPASTE_MIN_ENTROPY=6.0
+export FLASKPASTE_MIN_SIZE=64
+```
+
+---
+
+## Proof-of-Work
+
+FlaskPaste includes an optional proof-of-work system to prevent automated spam.
+
+**How it works:**
+1. Client requests a challenge via `GET /challenge`
+2. Server returns a nonce, difficulty, expiry time, and signed token
 3. Client computes SHA256 hashes until finding one with enough leading zero bits
 4. Client submits paste with `X-PoW-Token` and `X-PoW-Solution` headers