Implement critical security fixes from code review

LittleShop/Program.cs

@@ -54,6 +54,33 @@ builder.Services.Configure<AspNetCoreRateLimit.IpRateLimitOptions>(options =>
     options.ClientIdHeader = "X-ClientId";
     options.GeneralRules = new List<AspNetCoreRateLimit.RateLimitRule>
     {
+        // Critical: Order creation - very strict limits
+        new AspNetCoreRateLimit.RateLimitRule
+        {
+            Endpoint = "POST:*/api/orders",
+            Period = "1m",
+            Limit = 3
+        },
+        new AspNetCoreRateLimit.RateLimitRule
+        {
+            Endpoint = "POST:*/api/orders",
+            Period = "1h",
+            Limit = 10
+        },
+        // Critical: Payment creation - strict limits
+        new AspNetCoreRateLimit.RateLimitRule
+        {
+            Endpoint = "POST:*/api/orders/*/payments",
+            Period = "1m",
+            Limit = 5
+        },
+        new AspNetCoreRateLimit.RateLimitRule
+        {
+            Endpoint = "POST:*/api/orders/*/payments",
+            Period = "1h",
+            Limit = 20
+        },
+        // Order lookup by identity - moderate limits
         new AspNetCoreRateLimit.RateLimitRule
         {
             Endpoint = "*/api/orders/by-identity/*",
@@ -66,6 +93,21 @@ builder.Services.Configure<AspNetCoreRateLimit.IpRateLimitOptions>(options =>
             Period = "1m",
             Limit = 10
         },
+        // Cancel order endpoint - moderate limits
+        new AspNetCoreRateLimit.RateLimitRule
+        {
+            Endpoint = "POST:*/api/orders/*/cancel",
+            Period = "1m",
+            Limit = 5
+        },
+        // Webhook endpoint - exempt from rate limiting
+        new AspNetCoreRateLimit.RateLimitRule
+        {
+            Endpoint = "POST:*/api/orders/payments/webhook",
+            Period = "1s",
+            Limit = 1000
+        },
+        // General API limits
         new AspNetCoreRateLimit.RateLimitRule
         {
             Endpoint = "*",