add content-hash dedup for abuse prevention

Throttle repeated submissions of identical content using SHA256 hash
tracking. Configurable via FLASKPASTE_DEDUP_WINDOW and FLASKPASTE_DEDUP_MAX.

documentation/api.md

@@ -129,6 +129,7 @@ Content-Type: application/json
 | 413 | Paste too large |
 | 429 | Duplicate content rate limit exceeded |
 
+**Size Limits:**
 - Anonymous: 3 MiB (configurable via `FLASKPASTE_MAX_ANON`)
 - Authenticated: 50 MiB (configurable via `FLASKPASTE_MAX_AUTH`)
 
@@ -254,6 +255,41 @@ Pastes expire based on last access time (default: 5 days).
 
 ## Abuse Prevention
 
+FlaskPaste includes content-hash based deduplication to prevent spam and abuse.
+
+**How it works:**
+- Each paste's SHA256 content hash is tracked
+- Repeated submissions of identical content are throttled
+- After exceeding the threshold, further duplicates are rejected with 429
+
+**Default limits:**
+- Window: 1 hour (`FLASKPASTE_DEDUP_WINDOW`)
+- Maximum: 3 identical submissions per window (`FLASKPASTE_DEDUP_MAX`)
+
+**Response (429 Too Many Requests):**
+```json
+{
+  "error": "Duplicate content rate limit exceeded",
+  "count": 3,
+  "window_seconds": 3600
+}
+```
+
+**Configuration:**
+```bash
+export FLASKPASTE_DEDUP_WINDOW=3600  # Window in seconds (default: 1 hour)
+export FLASKPASTE_DEDUP_MAX=3        # Max duplicates per window (default: 3)
+```
+
+**Notes:**
+- Different content is not affected by other content's limits
+- Counter resets after the window expires
+- Hash records are cleaned up periodically
+
+---
+
+## Error Response Format
+
 All errors return JSON:
 
 ```json