diff --git a/fly/nginx.conf b/fly/nginx.conf
index 089971c..570e6c9 100644
--- a/fly/nginx.conf
+++ b/fly/nginx.conf
@@ -34,6 +34,15 @@ http {
     # bucket. $http_fly_client_ip has the actual client IP.
     limit_req_zone $http_fly_client_ip zone=forge_auth:10m rate=3r/s;
 
+    # Shower-specific zone: loose enough that ~30 guests sharing a single
+    # venue-wifi NAT'd public IP can all scan the QR and load the splash
+    # (HTML + a handful of static asset hits each) without anyone tripping
+    # the limit. 50r/s + burst=200 covers the simultaneous-load spike;
+    # exploit scanners still trip it (e.g. the .env-sweeping bot we saw
+    # fired ~30 req in 2s — that pattern stays caught). See the
+    # shower.eblu.me server block for the matching `limit_req`.
+    limit_req_zone $http_fly_client_ip zone=shower_general:10m rate=50r/s;
+
     # fail2ban deny list — banned IPs are written here by fail2ban and
     # checked via the $forge_banned variable. The file is touched at
     # container start to ensure it exists.
@@ -318,8 +327,13 @@ http {
         listen 8080;
         server_name shower.eblu.me;
 
-        # General per-IP rate limit (cushion for the splash page + form posts)
-        limit_req zone=general burst=20 nodelay;
+        # Per-IP rate limit. shower_general (50r/s, burst=200) instead of
+        # the global `general` zone because at the party, guests on the
+        # venue's wifi all NAT through a single Fly-Client-IP — 30 guests
+        # scanning the QR at once would each fetch HTML + a few static
+        # assets, easily clearing 20 burst on `general`. Exploit scanners
+        # still trip it (sustained ≫ 50r/s patterns).
+        limit_req zone=shower_general burst=200 nodelay;
 
         # Image uploads from /host/'s prize cropper are ~150-300 KiB JPEGs.
         # The host page itself isn't reachable here, but /media/ reads can