diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf
index cf59ea47..ca7b1998 100644
--- a/stacks/crowdsec/modules/crowdsec/main.tf
+++ b/stacks/crowdsec/modules/crowdsec/main.tf
@@ -96,6 +96,21 @@ resource "kubernetes_config_map" "crowdsec_whitelist" {
         reason: "Trusted IP - never block"
         ip:
           - "176.12.22.76"
+      ---
+      name: viktor/immich-asset-paths-whitelist
+      description: "Don't penalise legit Immich timeline bursts (mobile scrub, web grid)"
+      whitelist:
+        reason: "Immich asset endpoints are auth-gated; mobile scrub legitimately bursts"
+        expression:
+          - >
+            evt.Parsed.target_fqdn == "immich.viktorbarzin.me" &&
+            (evt.Parsed.request startsWith "/api/assets/" ||
+             evt.Parsed.request startsWith "/api/timeline/" ||
+             evt.Parsed.request startsWith "/api/asset/" ||
+             evt.Parsed.request startsWith "/api/search/" ||
+             evt.Parsed.request startsWith "/api/memories" ||
+             evt.Parsed.request startsWith "/api/albums" ||
+             evt.Parsed.request startsWith "/api/activities")
     YAML
   }
 }
diff --git a/stacks/traefik/modules/traefik/middleware.tf b/stacks/traefik/modules/traefik/middleware.tf
index 9cfac0a3..2c8ae8c4 100644
--- a/stacks/traefik/modules/traefik/middleware.tf
+++ b/stacks/traefik/modules/traefik/middleware.tf
@@ -244,8 +244,8 @@ resource "kubernetes_manifest" "middleware_immich_rate_limit" {
     }
     spec = {
       rateLimit = {
-        average = 500
-        burst   = 5000
+        average = 1000
+        burst   = 20000
       }
     }
   }