diff --git a/apps/api/src/routes/gameRouter.ts b/apps/api/src/routes/gameRouter.ts
index f65bfb6..850a146 100644
--- a/apps/api/src/routes/gameRouter.ts
+++ b/apps/api/src/routes/gameRouter.ts
@@ -2,9 +2,12 @@ import express from "express";
 import type { Router } from "express";
 import { createGame, submitAnswer } from "../controllers/gameController.js";
 import { requireAuth } from "../middleware/authMiddleware.js";
+import { gameLimiter } from "../middleware/rateLimiters.js";
 
 export const gameRouter: Router = express.Router();
 
 gameRouter.use(requireAuth);
+gameRouter.use(gameLimiter);
+
 gameRouter.post("/start", createGame);
 gameRouter.post("/answer", submitAnswer);
diff --git a/apps/api/src/routes/lobbyRouter.ts b/apps/api/src/routes/lobbyRouter.ts
index 5bd82dd..5cc24c9 100644
--- a/apps/api/src/routes/lobbyRouter.ts
+++ b/apps/api/src/routes/lobbyRouter.ts
@@ -5,10 +5,12 @@ import {
   joinLobbyHandler,
 } from "../controllers/lobbyController.js";
 import { requireAuth } from "../middleware/authMiddleware.js";
+import { lobbyLimiter } from "../middleware/rateLimiters.js";
 
 export const lobbyRouter: Router = express.Router();
 
 lobbyRouter.use(requireAuth);
+lobbyRouter.use(lobbyLimiter);
 
 lobbyRouter.post("/", createLobbyHandler);
 lobbyRouter.post("/:code/join", joinLobbyHandler);
diff --git a/documentation/backlog.md b/documentation/backlog.md
index 23bd2cc..557ef1f 100644
--- a/documentation/backlog.md
+++ b/documentation/backlog.md
@@ -108,6 +108,9 @@ Directionally right, timing is unclear. Revisit when the next/now work is done.
 - **OpenAPI documentation for REST endpoints** `[feature]`
   Document the API surface using OpenAPI/Swagger. Covers all REST endpoints with request/response shapes. Useful groundwork for the admin dashboard and any future contributors.
 
+- **Frontend tests** `[debt]`
+  component tests for QuestionCard, OptionButton, ScoreScreen; consider Playwright or Vitest browser mode for e2e
+
 ---
 
 ## changelog