diff --git a/nginx/posterg.conf b/nginx/posterg.conf
index 669628c..7d14ba9 100644
--- a/nginx/posterg.conf
+++ b/nginx/posterg.conf
@@ -6,7 +6,10 @@
 # Rate limiting zones
 limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
 limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
-limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
+# Admin: already protected by HTTP Basic Auth; rate limiting here only guards
+# against brute-force on the auth layer, not normal browsing.
+# 60r/m = 1r/s sustained, burst=20 covers rapid page navigation.
+limit_req_zone $binary_remote_addr zone=admin:10m rate=60r/m;
 
 # Main server block
 server {
@@ -118,7 +121,7 @@ server {
         auth_basic_user_file /etc/nginx/.htpasswd-posterg;
 
         # Rate limiting for admin
-        limit_req zone=admin burst=5 nodelay;
+        limit_req zone=admin burst=20 nodelay;
 
         # Content-Security-Policy - Tighter policy for admin
         add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;