add systemd service unit and rate limit headers

Systemd deployment:
- examples/flaskpaste.service with security hardening
- examples/flaskpaste.env with all config options
- README deployment section updated

Rate limit headers (X-RateLimit-*):
- Limit, Remaining, Reset on 201 and 429 responses
- Per-IP tracking with auth multiplier
- api.md documented

documentation/api.md

@@ -312,6 +312,37 @@ Password protected content
 
 | Header | Description |
 |--------|-------------|
+| `X-RateLimit-Limit` | Maximum requests per window |
+| `X-RateLimit-Remaining` | Remaining requests in current window |
+| `X-RateLimit-Reset` | Unix timestamp when window resets |
+
+These headers appear on both successful (201) and rate-limited (429) responses:
+
+```http
+HTTP/1.1 201 Created
+X-RateLimit-Limit: 10
+X-RateLimit-Remaining: 9
+X-RateLimit-Reset: 1700000060
+```
+
+```http
+HTTP/1.1 429 Too Many Requests
+Retry-After: 45
+X-RateLimit-Limit: 10
+X-RateLimit-Remaining: 0
+X-RateLimit-Reset: 1700000060
+```
+
+Rate limits are per-IP and configurable:
+- `FLASKPASTE_RATE_MAX`: Base limit (default: 10 requests/minute)
+- `FLASKPASTE_RATE_AUTH_MULT`: Multiplier for authenticated users (default: 5x)
+
+---
+
+### GET /{id}
+
+### HEAD /{id}
+
 Retrieve paste metadata. HEAD returns headers only (no body).
 
 **Request:**