add content-hash dedup for abuse prevention

Throttle repeated submissions of identical content using SHA256 hash
tracking. Configurable via FLASKPASTE_DEDUP_WINDOW and FLASKPASTE_DEDUP_MAX.

README.md

@@ -10,6 +10,7 @@ A lightweight, secure pastebin REST API built with Flask.
 - **Client certificate authentication** - Optional auth via `X-SSL-Client-SHA1` header
 - **Automatic expiry** - Pastes expire after configurable period of inactivity
 - **Size limits** - Configurable limits for anonymous and authenticated users
+- **Abuse prevention** - Content-hash deduplication throttles repeated identical submissions
 - **Security headers** - HSTS, CSP, X-Frame-Options, Cache-Control, and more
 - **Request tracing** - X-Request-ID support for log correlation
 - **Proxy trust validation** - Optional shared secret for defense-in-depth
@@ -88,6 +89,8 @@ Configuration via environment variables:
 | `FLASKPASTE_MAX_ANON` | `3145728` (3 MiB) | Max paste size for anonymous users |
 | `FLASKPASTE_MAX_AUTH` | `52428800` (50 MiB) | Max paste size for authenticated users |
 | `FLASKPASTE_EXPIRY` | `432000` (5 days) | Paste expiry in seconds |
+| `FLASKPASTE_DEDUP_WINDOW` | `3600` (1 hour) | Dedup throttle window in seconds |
+| `FLASKPASTE_DEDUP_MAX` | `3` | Max identical submissions per window |
 | `FLASKPASTE_PROXY_SECRET` | (empty) | Shared secret for proxy trust validation |
 
 ## Authentication
@@ -164,6 +167,7 @@ flaskpaste/
 - **SQL injection protection** - Parameterized queries throughout
 - **Ownership enforcement** - Only owners can delete their pastes
 - **Size limits** - Prevents resource exhaustion attacks
+- **Abuse prevention** - Content-hash deduplication prevents spam flooding
 - **Security headers** - HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Cache-Control
 - **Request tracing** - X-Request-ID for log correlation and debugging
 - **Proxy trust** - Optional `X-Proxy-Secret` validation to prevent header spoofing