diff --git a/Auto Run Docs/SpecKit-web-header-analyzer-Phase-08-Security-Operations.md b/Auto Run Docs/SpecKit-web-header-analyzer-Phase-08-Security-Operations.md
index a25100e..ab0ed78 100644
--- a/Auto Run Docs/SpecKit-web-header-analyzer-Phase-08-Security-Operations.md	
+++ b/Auto Run Docs/SpecKit-web-header-analyzer-Phase-08-Security-Operations.md	
@@ -42,7 +42,7 @@ This phase protects the analysis service from abuse with per-IP rate limiting an
 - [x] Exceeding rate limit returns HTTP 429 with Retry-After header and CAPTCHA challenge
 - [x] Solving CAPTCHA returns HMAC-signed bypass token (5-minute expiry)
 - [x] Bypass token exempts IP from rate limiting on subsequent requests
-- [ ] `GET /api/health` returns `{status, version, uptime, scannerCount}`
+- [x] `GET /api/health` returns `{status, version, uptime, scannerCount}`
 - [x] All routers and CORS middleware are registered in `main.py`
 - [ ] Application starts statelessly — no database, no session management
 - [ ] CAPTCHA modal is keyboard accessible (Tab, Enter, Escape to close)