diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 37da0fcf9..9063a1f42 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,15 +1,12 @@
 FROM benefits_client:latest
 
 # install devcontainer requirements
-COPY .devcontainer/requirements.txt .devcontainer/requirements.txt
-RUN pip install -r .devcontainer/requirements.txt
+RUN pip install -e .[dev,test]
 
+# docs requirements are in a separate file for the GitHub Action
 COPY docs/requirements.txt docs/requirements.txt
 RUN pip install -r docs/requirements.txt
 
-COPY tests/pytest/requirements.txt tests/pytest/requirements.txt
-RUN pip install -r tests/pytest/requirements.txt
-
 # install pre-commit environments in throwaway Git repository
 # https://stackoverflow.com/a/68758943
 COPY .pre-commit-config.yaml .
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 555a41401..8f192c4a0 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -20,6 +20,7 @@
       },
       // Add the IDs of extensions you want installed when the container is created.
       "extensions": [
+        "bungcip.better-toml",
         "batisteo.vscode-django",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
         "eamodio.gitlens",
diff --git a/.devcontainer/requirements.txt b/.devcontainer/requirements.txt
deleted file mode 100644
index adb07efea..000000000
--- a/.devcontainer/requirements.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-black
-djlint
-flake8
-pre-commit
diff --git a/.dockerignore b/.dockerignore
index 5ea37e022..c4198b1d4 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -5,3 +5,4 @@
 .flake8
 .*ignore
 *.db
+*.egg-info
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 39db2af14..96c61c651 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,7 +6,7 @@
 version: 2
 updates:
   - package-ecosystem: "pip"
-    directory: "/appcontainer" # main requirements.txt
+    directory: "/" # pyproject.toml
     schedule:
       interval: "daily"
     commit-message:
diff --git a/.github/workflows/labeler-deploy-dev.yml b/.github/workflows/labeler-deploy-dev.yml
index f2e34da5f..b2441c058 100644
--- a/.github/workflows/labeler-deploy-dev.yml
+++ b/.github/workflows/labeler-deploy-dev.yml
@@ -5,11 +5,11 @@ on:
     branches: [dev]
     types: [opened]
     paths:
-      - '.github/workflows/deploy-*.yml'
-      - 'benefits/**'
-      - 'bin/**'
+      - ".github/workflows/deploy-*.yml"
+      - "benefits/**"
+      - "bin/**"
       - Dockerfile
-      - requirements.txt
+      - pyproject.toml
 
 jobs:
   label-deployment-dev:
diff --git a/.github/workflows/tests-pytest.yml b/.github/workflows/tests-pytest.yml
index 120883142..84b4a9f58 100644
--- a/.github/workflows/tests-pytest.yml
+++ b/.github/workflows/tests-pytest.yml
@@ -18,10 +18,10 @@ jobs:
         with:
           python-version-file: .github/workflows/.python-version
           cache: pip
-          cache-dependency-path: "**/requirements.txt"
+          cache-dependency-path: "**/pyproject.toml"
 
       - name: Install Python dependencies
-        run: pip install -r appcontainer/requirements.txt -r tests/pytest/requirements.txt
+        run: pip install -e .[test]
 
       - name: Run setup
         run: ./bin/init.sh
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index acd12a620..cdd00d11b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -34,7 +34,7 @@ repos:
         args: ["--maxkb=1500"]
 
   - repo: https://github.com/psf/black
-    rev: 23.1.0
+    rev: 23.3.0
     hooks:
       - id: black
         types:
@@ -61,6 +61,6 @@ repos:
         types_or: [javascript, css]
 
   - repo: https://github.com/Riverside-Healthcare/djLint
-    rev: v1.19.16
+    rev: v1.23.0
     hooks:
       - id: djlint-django
diff --git a/appcontainer/Dockerfile b/appcontainer/Dockerfile
index 8165f5938..4aa3cf9df 100644
--- a/appcontainer/Dockerfile
+++ b/appcontainer/Dockerfile
@@ -1,15 +1,19 @@
 FROM ghcr.io/cal-itp/docker-python-web:main
 
-# install python dependencies
-COPY appcontainer/requirements.txt requirements.txt
-RUN pip install -r requirements.txt
+# upgrade pip
+RUN python -m pip install --upgrade pip
 
-# copy Django utility script
-COPY manage.py manage.py
+# overwrite default nginx.conf
+COPY appcontainer/nginx.conf /etc/nginx/nginx.conf
+COPY appcontainer/proxy.conf /home/calitp/run/proxy.conf
 
 # copy source files
-COPY bin/ bin/
-COPY benefits/ benefits/
+COPY manage.py manage.py
+COPY bin bin
+COPY benefits benefits
+COPY pyproject.toml pyproject.toml
+
+RUN pip install -e .
 
 # ensure $USER can compile messages in the locale directories
 USER root
diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
new file mode 100644
index 000000000..d85fb2b7f
--- /dev/null
+++ b/appcontainer/nginx.conf
@@ -0,0 +1,92 @@
+worker_processes auto;
+error_log stderr warn;
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections 1024;
+  accept_mutex on;
+}
+
+http {
+  include mime.types;
+  default_type application/octet-stream;
+  sendfile on;
+  gzip on;
+  keepalive_timeout 5;
+
+  log_format main '[$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for"';
+  access_log /dev/stdout main;
+
+  upstream app_server {
+    # fail_timeout=0 means we always retry an upstream even if it failed
+    # to return a good HTTP response
+    server unix:/home/calitp/run/gunicorn.sock fail_timeout=0;
+  }
+
+  # maps $binary_ip_address to $limit variable if request is of type POST
+  map $request_method $limit {
+    default         "";
+    POST            $binary_remote_addr;
+  }
+
+  # define a zone with 10mb memory, rate limit to 12 requests/min (~= 1 request/5 seconds) on applied locations
+  # $limit will eval to $binary_remote_addr for POST requests using the above map
+  # requests with an empty key value (e.g. GET) are not affected
+  # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone
+  limit_req_zone $limit zone=rate_limit:10m rate=12r/m;
+
+  server {
+    listen 8000;
+
+    keepalive_timeout 65;
+
+    # 404 known scraping path targets
+    # case-insensitive regex matches the given path fragment anywhere in the request path
+    location ~* /(\.?git|api|app|assets|ats|bootstrap|bower|cgi|content|credentials|docker|doc|env|example|swagger|web) {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    # 404 known scraping file targets
+    # case-insensitive regex matches the given file extension anywhere in the request path
+    location ~* /.*\.(asp|axd|cgi|com|env|json|php|xml|ya?ml) {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    location /favicon.ico {
+      access_log off;
+      log_not_found off;
+      expires 1y;
+      add_header Cache-Control public;
+    }
+
+    # path for static files
+    location /static/ {
+      alias /home/calitp/app/static/;
+      expires 1y;
+      add_header Cache-Control public;
+    }
+
+    location / {
+      # checks for static file, if not found proxy to app
+      try_files $uri @proxy_to_app;
+    }
+
+    # apply rate limit to these paths
+    # case-insensitive regex matches path
+    location ~* ^/(eligibility/confirm)$ {
+        limit_req zone=rate_limit;
+        include /home/calitp/run/proxy.conf;
+    }
+
+    # app path
+    location @proxy_to_app {
+      include /home/calitp/run/proxy.conf;
+    }
+  }
+}
diff --git a/appcontainer/proxy.conf b/appcontainer/proxy.conf
new file mode 100644
index 000000000..a4e310387
--- /dev/null
+++ b/appcontainer/proxy.conf
@@ -0,0 +1,8 @@
+# the core app proxy directives
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header Host $http_host;
+# we don't want nginx trying to do something clever with
+# redirects, we set the Host: header above already.
+proxy_redirect off;
+proxy_pass http://app_server;
diff --git a/appcontainer/requirements.txt b/appcontainer/requirements.txt
deleted file mode 100644
index d2261cfdf..000000000
--- a/appcontainer/requirements.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Authlib==1.2.0
-Django==4.1.7
-django-csp==3.7
-eligibility-api==2023.01.1
-requests==2.28.2
-sentry-sdk==1.18.0
-six==1.16.0
diff --git a/benefits/__init__.py b/benefits/__init__.py
index 544748407..024e2c4d0 100644
--- a/benefits/__init__.py
+++ b/benefits/__init__.py
@@ -1,3 +1,3 @@
-__version__ = "2023.04.1"
+__version__ = "2023.04.2"
 
 VERSION = __version__
diff --git a/benefits/core/middleware.py b/benefits/core/middleware.py
index 93ec20cf2..4df16d6fa 100644
--- a/benefits/core/middleware.py
+++ b/benefits/core/middleware.py
@@ -2,12 +2,10 @@
 The core application: middleware definitions for request/response cycle.
 """
 import logging
-import time
 
 from django.conf import settings
-from django.http import HttpResponse, HttpResponseBadRequest
+from django.http import HttpResponse
 from django.shortcuts import redirect
-from django.template import loader
 from django.template.response import TemplateResponse
 from django.utils.decorators import decorator_from_middleware
 from django.utils.deprecation import MiddlewareMixin
@@ -40,43 +38,6 @@ def process_request(self, request):
             return user_error(request)
 
 
-class RateLimit(MiddlewareMixin):
-    """Middleware checks settings and session to ensure rate limit is respected."""
-
-    def process_request(self, request):
-        if not settings.RATE_LIMIT_ENABLED:
-            logger.debug("Rate Limiting is not configured")
-            return None
-
-        if request.method in settings.RATE_LIMIT_METHODS:
-            session.increment_rate_limit_counter(request)
-        else:
-            # bail early if the request method doesn't match
-            return None
-
-        counter = session.rate_limit_counter(request)
-        reset_time = session.rate_limit_time(request)
-        now = int(time.time())
-
-        if counter > settings.RATE_LIMIT:
-            if reset_time > now:
-                logger.warning("Rate limit exceeded")
-                home = viewmodels.Button.home(request)
-                page = viewmodels.ErrorPage.server_error(
-                    title="Rate limit error",
-                    headline="Rate limit error",
-                    paragraphs=["You have reached the rate limit. Please try again."],
-                    button=home,
-                )
-                t = loader.get_template("400.html")
-                return HttpResponseBadRequest(t.render(page.context_dict()))
-            else:
-                # enough time has passed, reset the rate limit
-                session.reset_rate_limit(request)
-
-        return None
-
-
 class EligibleSessionRequired(MiddlewareMixin):
     """Middleware raises an exception for sessions lacking confirmed eligibility."""
 
diff --git a/benefits/core/migrations/0002_data.py b/benefits/core/migrations/0002_data.py
index d7439b95e..ef6eaea20 100644
--- a/benefits/core/migrations/0002_data.py
+++ b/benefits/core/migrations/0002_data.py
@@ -89,19 +89,34 @@ def load_data(app, *args, **kwargs):
 -----END CERTIFICATE-----
 """
 
-    payment_processor_client_cert = PemData.objects.create(
-        text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT", dummy_cert_text),
-        label="Payment processor client certificate",
+    mst_payment_processor_client_cert = PemData.objects.create(
+        text=os.environ.get("MST_PAYMENT_PROCESSOR_CLIENT_CERT", dummy_cert_text),
+        label="MST payment processor client certificate",
     )
 
-    payment_processor_client_cert_private_key = PemData.objects.create(
-        text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY", client_private_key.text),
-        label="Payment processor client certificate private key",
+    mst_payment_processor_client_cert_private_key = PemData.objects.create(
+        text=os.environ.get("MST_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY", client_private_key.text),
+        label="MST payment processor client certificate private key",
     )
 
-    payment_processor_client_cert_root_ca = PemData.objects.create(
-        text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA", dummy_cert_text),
-        label="Payment processor client certificate root CA",
+    mst_payment_processor_client_cert_root_ca = PemData.objects.create(
+        text=os.environ.get("MST_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA", dummy_cert_text),
+        label="MST payment processor client certificate root CA",
+    )
+
+    sacrt_payment_processor_client_cert = PemData.objects.create(
+        text=os.environ.get("SACRT_PAYMENT_PROCESSOR_CLIENT_CERT", dummy_cert_text),
+        label="SacRT payment processor client certificate",
+    )
+
+    sacrt_payment_processor_client_cert_private_key = PemData.objects.create(
+        text=os.environ.get("SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY", client_private_key.text),
+        label="SacRT payment processor client certificate private key",
+    )
+
+    sacrt_payment_processor_client_cert_root_ca = PemData.objects.create(
+        text=os.environ.get("SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA", dummy_cert_text),
+        label="SacRT payment processor client certificate root CA",
     )
 
     AuthProvider = app.get_model("core", "AuthProvider")
@@ -204,18 +219,35 @@ def load_data(app, *args, **kwargs):
 
     PaymentProcessor = app.get_model("core", "PaymentProcessor")
 
-    payment_processor = PaymentProcessor.objects.create(
-        name=os.environ.get("PAYMENT_PROCESSOR_NAME", "Test Payment Processor"),
-        api_base_url=os.environ.get("PAYMENT_PROCESSOR_API_BASE_URL", "http://server:8000"),
-        api_access_token_endpoint=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT", "access-token"),
-        api_access_token_request_key=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY", "request_access"),
-        api_access_token_request_val=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL", "REQUEST_ACCESS"),
-        card_tokenize_url=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_URL", "http://server:8000/static/tokenize.js"),
-        card_tokenize_func=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC", "tokenize"),
-        card_tokenize_env=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV", "test"),
-        client_cert=payment_processor_client_cert,
-        client_cert_private_key=payment_processor_client_cert_private_key,
-        client_cert_root_ca=payment_processor_client_cert_root_ca,
+    mst_payment_processor = PaymentProcessor.objects.create(
+        name=os.environ.get("MST_PAYMENT_PROCESSOR_NAME", "Test Payment Processor"),
+        api_base_url=os.environ.get("MST_PAYMENT_PROCESSOR_API_BASE_URL", "http://server:8000"),
+        api_access_token_endpoint=os.environ.get("MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT", "access-token"),
+        api_access_token_request_key=os.environ.get("MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY", "request_access"),
+        api_access_token_request_val=os.environ.get("MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL", "REQUEST_ACCESS"),
+        card_tokenize_url=os.environ.get("MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL", "http://server:8000/static/tokenize.js"),
+        card_tokenize_func=os.environ.get("MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC", "tokenize"),
+        card_tokenize_env=os.environ.get("MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV", "test"),
+        client_cert=mst_payment_processor_client_cert,
+        client_cert_private_key=mst_payment_processor_client_cert_private_key,
+        client_cert_root_ca=mst_payment_processor_client_cert_root_ca,
+        customer_endpoint="customer",
+        customers_endpoint="customers",
+        group_endpoint="group",
+    )
+
+    sacrt_payment_processor = PaymentProcessor.objects.create(
+        name=os.environ.get("SACRT_PAYMENT_PROCESSOR_NAME", "Test Payment Processor"),
+        api_base_url=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_BASE_URL", "http://server:8000"),
+        api_access_token_endpoint=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT", "access-token"),
+        api_access_token_request_key=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY", "request_access"),
+        api_access_token_request_val=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL", "REQUEST_ACCESS"),
+        card_tokenize_url=os.environ.get("SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL", "http://server:8000/static/tokenize.js"),
+        card_tokenize_func=os.environ.get("SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC", "tokenize"),
+        card_tokenize_env=os.environ.get("SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV", "test"),
+        client_cert=sacrt_payment_processor_client_cert,
+        client_cert_private_key=sacrt_payment_processor_client_cert_private_key,
+        client_cert_root_ca=sacrt_payment_processor_client_cert_root_ca,
         customer_endpoint="customer",
         customers_endpoint="customers",
         group_endpoint="group",
@@ -240,7 +272,7 @@ def load_data(app, *args, **kwargs):
         private_key=client_private_key,
         public_key=client_public_key,
         jws_signing_alg=os.environ.get("MST_AGENCY_JWS_SIGNING_ALG", "RS256"),
-        payment_processor=payment_processor,
+        payment_processor=mst_payment_processor,
         eligibility_index_intro=_("eligibility.pages.index.p[0].mst"),
     )
     mst_agency.eligibility_types.set([mst_senior_type, mst_courtesy_card_type])
@@ -258,7 +290,7 @@ def load_data(app, *args, **kwargs):
         private_key=client_private_key,
         public_key=client_public_key,
         jws_signing_alg=os.environ.get("SACRT_AGENCY_JWS_SIGNING_ALG", "RS256"),
-        payment_processor=payment_processor,
+        payment_processor=sacrt_payment_processor,
         eligibility_index_intro=_("eligibility.pages.index.p[0].sacrt"),
     )
     sacrt_agency.eligibility_types.set([sacrt_senior_type])
diff --git a/benefits/core/session.py b/benefits/core/session.py
index 7cb20185d..c26968cee 100644
--- a/benefits/core/session.py
+++ b/benefits/core/session.py
@@ -6,7 +6,6 @@
 import time
 import uuid
 
-from django.conf import settings
 from django.urls import reverse
 
 from . import models
@@ -22,8 +21,6 @@
 _ENROLLMENT_TOKEN = "enrollment_token"
 _ENROLLMENT_TOKEN_EXP = "enrollment_token_exp"
 _LANG = "lang"
-_LIMITCOUNTER = "limitcounter"
-_LIMITUNTIL = "limituntil"
 _OAUTH_CLAIM = "oauth_claim"
 _OAUTH_TOKEN = "oauth_token"
 _ORIGIN = "origin"
@@ -54,7 +51,6 @@ def context_dict(request):
     logger.debug("Get session context dict")
     return {
         _AGENCY: agency(request).slug if active_agency(request) else None,
-        _LIMITCOUNTER: rate_limit_counter(request),
         _DEBUG: debug(request),
         _DID: did(request),
         _ELIGIBILITY: eligibility(request),
@@ -64,7 +60,6 @@ def context_dict(request):
         _OAUTH_TOKEN: oauth_token(request),
         _OAUTH_CLAIM: oauth_claim(request),
         _ORIGIN: origin(request),
-        _LIMITUNTIL: rate_limit_time(request),
         _START: start(request),
         _UID: uid(request),
         _VERIFIER: verifier(request),
@@ -174,33 +169,6 @@ def origin(request):
     return request.session.get(_ORIGIN)
 
 
-def rate_limit_counter(request):
-    """Get this session's rate limit counter."""
-    logger.debug("Get rate limit counter")
-    return request.session.get(_LIMITCOUNTER)
-
-
-def increment_rate_limit_counter(request):
-    """Adds 1 to this session's rate limit counter."""
-    logger.debug("Increment rate limit counter")
-    c = rate_limit_counter(request)
-    request.session[_LIMITCOUNTER] = int(c) + 1
-
-
-def reset_rate_limit(request):
-    """Reset this session's rate limit counter and time."""
-    logger.debug("Reset rate limit")
-    request.session[_LIMITCOUNTER] = 0
-    # get the current time in Unix seconds, then add RATE_LIMIT_PERIOD seconds
-    request.session[_LIMITUNTIL] = int(time.time()) + settings.RATE_LIMIT_PERIOD
-
-
-def rate_limit_time(request):
-    """Get this session's rate limit time, a Unix timestamp after which the session's rate limt resets."""
-    logger.debug("Get rate limit time")
-    return request.session.get(_LIMITUNTIL)
-
-
 def reset(request):
     """Reset the session for the request."""
     logger.debug("Reset session")
@@ -219,7 +187,6 @@ def reset(request):
         u = str(uuid.uuid4())
         request.session[_UID] = u
         request.session[_DID] = str(uuid.UUID(hashlib.sha512(bytes(u, "utf8")).hexdigest()[:32]))
-        reset_rate_limit(request)
 
 
 def start(request):
diff --git a/benefits/core/templates/core/base.html b/benefits/core/templates/core/base.html
index 06c712d3e..7567bf0ed 100644
--- a/benefits/core/templates/core/base.html
+++ b/benefits/core/templates/core/base.html
@@ -27,7 +27,10 @@
       CA State Template v6.0.7 does not include jQuery
       See https://github.com/Office-of-Digital-Services/California-State-Web-Template/releases/tag/v6.0.7
     {% endcomment %}
-    <script src="https://cdn.jsdelivr.net/npm/jquery@3.6.1/dist/jquery.min.js" integrity="sha256-o88AwQnZB+VDvE9tvIXrMQaPlFFSUTR+nldQm1LuPXQ=" crossorigin="anonymous"></script>
+    <script nonce="{{ request.csp_nonce }}"
+            src="https://cdn.jsdelivr.net/npm/jquery@3.6.1/dist/jquery.min.js"
+            integrity="sha256-o88AwQnZB+VDvE9tvIXrMQaPlFFSUTR+nldQm1LuPXQ="
+            crossorigin="anonymous"></script>
 
     {% include "core/includes/analytics.html" with api_key=analytics.api_key uid=analytics.uid did=analytics.did %}
   </head>
@@ -125,9 +128,12 @@ <h1>{{ page.headline }}</h1>
 
       But we aren't using CA State Template Javascript, so include Bootstrap directly
     {% endcomment %}
-    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>
+    <script nonce="{{ request.csp_nonce }}"
+            src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
+            integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
+            crossorigin="anonymous"></script>
 
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       $(function() {
         document.cookie = "testcookie"
         if (document.cookie.indexOf("testcookie") < 0) {
@@ -144,6 +150,8 @@ <h1>{{ page.headline }}</h1>
       });
     </script>
 
-    {% if request.recaptcha %}<script src="{{ request.recaptcha.script_api }}"></script>{% endif %}
+    {% if request.recaptcha %}
+      <script nonce="{{ request.csp_nonce }}" src="{{ request.recaptcha.script_api }}"></script>
+    {% endif %}
   </body>
 </html>
diff --git a/benefits/core/templates/core/includes/analytics.html b/benefits/core/templates/core/includes/analytics.html
index bb1ef84a6..04302a603 100644
--- a/benefits/core/templates/core/includes/analytics.html
+++ b/benefits/core/templates/core/includes/analytics.html
@@ -1,9 +1,10 @@
-<script type="text/javascript">
+<script nonce="{{ request.csp_nonce }}" type="text/javascript">
     (function(e,t){var n=e.amplitude||{_q:[],_iq:{}};var r=t.createElement("script")
         ;r.type="text/javascript"
         ;r.integrity="sha384-u0hlTAJ1tNefeBKwiBNwB4CkHZ1ck4ajx/pKmwWtc+IufKJiCQZ+WjJIi+7C6Ntm"
         ;r.crossOrigin="anonymous";r.async=true
         ;r.src="https://cdn.amplitude.com/libs/amplitude-8.1.0-min.gz.js"
+        ;r.nonce="{{ request.csp_nonce }}"
         ;r.onload=function(){if(!e.amplitude.runQueuedFunctions){
             console.log("[Amplitude] Error: could not load SDK")}}
         ;var i=t.getElementsByTagName("script")[0];i.parentNode.insertBefore(r,i)
diff --git a/benefits/core/templates/core/includes/form.html b/benefits/core/templates/core/includes/form.html
index 66b917844..bb6108629 100644
--- a/benefits/core/templates/core/includes/form.html
+++ b/benefits/core/templates/core/includes/form.html
@@ -46,7 +46,7 @@
       </div>
     {% endif %}
 
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       $(function() {
         // listen for a custom "submitting" event on the form, for button interactions
         $("#{{ form.id }}").on("submitting", function(e) {
@@ -77,7 +77,7 @@
       {% endcomment %}
       <input type="hidden" name="{{ request.recaptcha.data_field }}" value="">
 
-      <script>
+      <script nonce="{{ request.csp_nonce }}">
         function recaptchaSubmit($event) {
           // checks the validity of the form. Return if invalid; HTML5 validation errors should display
           if (!$event.currentTarget.form.checkValidity()) {
diff --git a/benefits/eligibility/views.py b/benefits/eligibility/views.py
index 417ac13cd..38085a411 100644
--- a/benefits/eligibility/views.py
+++ b/benefits/eligibility/views.py
@@ -10,7 +10,7 @@
 from django.utils.translation import pgettext, gettext as _
 
 from benefits.core import recaptcha, session, viewmodels
-from benefits.core.middleware import AgencySessionRequired, LoginRequired, RateLimit, RecaptchaEnabled, VerifierSessionRequired
+from benefits.core.middleware import AgencySessionRequired, LoginRequired, RecaptchaEnabled, VerifierSessionRequired
 from benefits.core.models import EligibilityVerifier
 from benefits.core.views import ROUTE_HELP
 from . import analytics, forms, verify
@@ -152,7 +152,6 @@ def start(request):
 
 @decorator_from_middleware(AgencySessionRequired)
 @decorator_from_middleware(LoginRequired)
-@decorator_from_middleware(RateLimit)
 @decorator_from_middleware(RecaptchaEnabled)
 @decorator_from_middleware(VerifierSessionRequired)
 def confirm(request):
diff --git a/benefits/enrollment/templates/enrollment/index.html b/benefits/enrollment/templates/enrollment/index.html
index 7d28f59d3..70d0cd0c1 100644
--- a/benefits/enrollment/templates/enrollment/index.html
+++ b/benefits/enrollment/templates/enrollment/index.html
@@ -15,10 +15,10 @@ <h1 class="pb-lg-8 pb-4">{{ page.headline }}</h1>
 
   {% comment %} This Javascript code must be before the forms. {% endcomment %}
   {% if payment_processor %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
             var startedEvent = "started payment connection", closedEvent = "closed payment connection";
 
-            $.getScript("{{ payment_processor.card_tokenize_url }}")
+            $.ajax({ dataType: "script", attrs: { nonce: "{{ request.csp_nonce }}"}, url: "{{ payment_processor.card_tokenize_url }}" })
                 .done(function() {
                 $.get("{{ payment_processor.access_token_url }}", function(data) {
                     $(".loading").remove();
diff --git a/benefits/enrollment/templates/enrollment/success.html b/benefits/enrollment/templates/enrollment/success.html
index e74c6331c..61a40e8d8 100644
--- a/benefits/enrollment/templates/enrollment/success.html
+++ b/benefits/enrollment/templates/enrollment/success.html
@@ -18,7 +18,7 @@ <h1 class="pb-lg-8 pb-4">{{ page.headline }}</h1>
 {% endblock inner-content %}
 
 {% block call-to-action %}
-  {% if page.buttons|length_is:"1" %}
+  {% if page.buttons|length == 1 %}
     <div class="row d-flex justify-content-lg-center flex-lg-row">
       <div class="col-9 col-lg-10 d-flex justify-content-end logout-paragraph">
         <p>
diff --git a/benefits/sentry.py b/benefits/sentry.py
index f5198dbb4..e9bfcb412 100644
--- a/benefits/sentry.py
+++ b/benefits/sentry.py
@@ -1,3 +1,4 @@
+import logging
 import shutil
 import os
 import subprocess
@@ -8,8 +9,10 @@
 
 from benefits import VERSION
 
+logger = logging.getLogger(__name__)
 
 SENTRY_ENVIRONMENT = os.environ.get("SENTRY_ENVIRONMENT", "local")
+SENTRY_CSP_REPORT_URI = None
 
 
 def git_available():
@@ -61,11 +64,26 @@ def get_denylist():
     return denylist
 
 
+def get_traces_sample_rate():
+    try:
+        rate = float(os.environ.get("SENTRY_TRACES_SAMPLE_RATE", "0.0"))
+        if rate < 0.0 or rate > 1.0:
+            logger.warn("SENTRY_TRACES_SAMPLE_RATE was not in the range [0.0, 1.0], defaulting to 0.0")
+            rate = 0.0
+        else:
+            logger.info(f"SENTRY_TRACES_SAMPLE_RATE set to: {rate}")
+    except ValueError:
+        logger.warn("SENTRY_TRACES_SAMPLE_RATE did not parse to float, defaulting to 0.0")
+        rate = 0.0
+
+    return rate
+
+
 def configure():
     SENTRY_DSN = os.environ.get("SENTRY_DSN")
     if SENTRY_DSN:
         release = get_release()
-        print(f"Enabling Sentry for environment '{SENTRY_ENVIRONMENT}', release '{release}'...")
+        logger.info(f"Enabling Sentry for environment '{SENTRY_ENVIRONMENT}', release '{release}'...")
 
         # https://docs.sentry.io/platforms/python/configuration/
         sentry_sdk.init(
@@ -73,7 +91,7 @@ def configure():
             integrations=[
                 DjangoIntegration(),
             ],
-            traces_sample_rate=1.0,
+            traces_sample_rate=get_traces_sample_rate(),
             environment=SENTRY_ENVIRONMENT,
             release=release,
             in_app_include=["benefits"],
@@ -82,5 +100,9 @@ def configure():
             send_default_pii=False,
             event_scrubber=EventScrubber(denylist=get_denylist()),
         )
+
+        # override the module-level variable when configuration happens, if set
+        global SENTRY_CSP_REPORT_URI
+        SENTRY_CSP_REPORT_URI = os.environ.get("SENTRY_REPORT_URI", "")
     else:
-        print("SENTRY_DSN not set, so won't send events")
+        logger.info("SENTRY_DSN not set, so won't send events")
diff --git a/benefits/settings.py b/benefits/settings.py
index c93e7dd26..90667b864 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -196,9 +196,13 @@ def _filter_empty(ls):
 STATIC_URL = "/static/"
 STATICFILES_DIRS = [os.path.join(BASE_DIR, "benefits", "static")]
 # use Manifest Static Files Storage by default
-STATICFILES_STORAGE = os.environ.get(
-    "DJANGO_STATICFILES_STORAGE", "django.contrib.staticfiles.storage.ManifestStaticFilesStorage"
-)
+STORAGES = {
+    "staticfiles": {
+        "BACKEND": os.environ.get(
+            "DJANGO_STATICFILES_STORAGE", "django.contrib.staticfiles.storage.ManifestStaticFilesStorage"
+        )
+    }
+}
 STATIC_ROOT = os.path.join(BASE_DIR, "static")
 
 # Logging configuration
@@ -237,21 +241,6 @@ def _filter_empty(ls):
 
 ANALYTICS_KEY = os.environ.get("ANALYTICS_KEY")
 
-# rate limit configuration
-# these should match the values in rate-limit.cy.js
-
-# number of requests allowed in the given period
-RATE_LIMIT = int(os.environ.get("DJANGO_RATE_LIMIT", 5))
-
-# HTTP request methods to rate limit
-RATE_LIMIT_METHODS = os.environ.get("DJANGO_RATE_LIMIT_METHODS", "POST").upper().split(",")
-
-# number of seconds before additional requests are denied
-RATE_LIMIT_PERIOD = int(os.environ.get("DJANGO_RATE_LIMIT_PERIOD", 60))
-
-# Rate Limit feature flag
-RATE_LIMIT_ENABLED = all((RATE_LIMIT > 0, len(RATE_LIMIT_METHODS) > 0, RATE_LIMIT_PERIOD > 0))
-
 # reCAPTCHA configuration
 
 RECAPTCHA_API_URL = os.environ.get("DJANGO_RECAPTCHA_API_URL", "https://www.google.com/recaptcha/api.js")
@@ -267,9 +256,9 @@ def _filter_empty(ls):
 # In particular, note that the inner single-quotes are required!
 # https://django-csp.readthedocs.io/en/latest/configuration.html#policy-settings
 
-CSP_DEFAULT_SRC = ["'self'"]
+CSP_BASE_URI = ["'none'"]
 
-CSP_IMG_SRC = ["'self'", "data:"]
+CSP_DEFAULT_SRC = ["'self'"]
 
 CSP_CONNECT_SRC = ["'self'", "https://api.amplitude.com/"]
 env_connect_src = _filter_empty(os.environ.get("DJANGO_CSP_CONNECT_SRC", "").split(","))
@@ -288,8 +277,18 @@ def _filter_empty(ls):
 if len(env_frame_src) > 0:
     CSP_FRAME_SRC = env_frame_src
 
+CSP_IMG_SRC = ["'self'", "data:"]
+
+# Configuring strict Content Security Policy
+# https://django-csp.readthedocs.io/en/latest/nonce.html
+CSP_INCLUDE_NONCE_IN = ["script-src"]
+
+CSP_OBJECT_SRC = ["'none'"]
+
+if sentry.SENTRY_CSP_REPORT_URI:
+    CSP_REPORT_URI = [sentry.SENTRY_CSP_REPORT_URI]
+
 CSP_SCRIPT_SRC = [
-    "'unsafe-inline'",
     "https://cdn.amplitude.com/libs/",
     "https://cdn.jsdelivr.net/",
     "*.littlepay.com",
diff --git a/compose.yml b/compose.yml
index b39a881f3..c5e2dea99 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,6 +8,7 @@ services:
       dockerfile: appcontainer/Dockerfile
     image: benefits_client:latest
     env_file: .env
+    platform: linux/amd64
     ports:
       - "${DJANGO_LOCAL_PORT:-8000}:8000"
 
@@ -21,6 +22,7 @@ services:
     entrypoint: sleep infinity
     depends_on:
       - server
+    platform: linux/amd64
     ports:
       - "${DJANGO_LOCAL_PORT:-8000}:8000"
     volumes:
@@ -30,6 +32,7 @@ services:
     image: benefits_client:dev
     entrypoint: mkdocs
     command: serve --dev-addr "0.0.0.0:8001"
+    platform: linux/amd64
     ports:
       - "8001"
     volumes:
@@ -38,6 +41,7 @@ services:
   server:
     image: ghcr.io/cal-itp/eligibility-server:dev
     env_file: .devcontainer/server/.env.server
+    platform: linux/amd64
     ports:
       - "8000"
     volumes:
diff --git a/docs/configuration/content-security-policy.md b/docs/configuration/content-security-policy.md
index bbff840d1..3d22c189e 100644
--- a/docs/configuration/content-security-policy.md
+++ b/docs/configuration/content-security-policy.md
@@ -6,10 +6,14 @@
 
 > The HTTP `Content-Security-Policy` response header allows web site administrators to control resources the user agent is
 > allowed to load for a given page.
-
+>
 > With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against
 > cross-site scripting attacks
 
+!!! warning "Strict CSP"
+
+    Benefits configures a Strict Content Security Policy. Read more about Strict CSP from Google: <https://csp.withgoogle.com/docs/strict-csp.html>.
+
 ## `django-csp`
 
 !!! tldr "django-csp docs"
diff --git a/docs/configuration/data.md b/docs/configuration/data.md
index 582241f6b..6e52de0b8 100644
--- a/docs/configuration/data.md
+++ b/docs/configuration/data.md
@@ -33,7 +33,6 @@ The sample data included in the repository is enough to bootstrap the applicatio
 Some configuration data is not available with the samples in the repository:
 
 - OAuth configuration to enable authentication (read more about [OAuth configuration](oauth.md))
-- Rate Limiting configuration for eligibility
 - reCAPTCHA configuration for user-submitted forms
 - Payment processor configuration for the enrollment phase
 - Amplitude configuration for capturing analytics events
diff --git a/docs/configuration/environment-variables.md b/docs/configuration/environment-variables.md
index 63226dab7..80b7fac44 100644
--- a/docs/configuration/environment-variables.md
+++ b/docs/configuration/environment-variables.md
@@ -177,5 +177,25 @@ Enables [sending events to Sentry](../../deployment/troubleshooting/#error-monit
 
 Segments errors by which deployment they occur in. This defaults to `local`, and can be set to match one of the [environment names](../../deployment/infrastructure/#environments).
 
+### `SENTRY_REPORT_URI`
+
+!!! tldr "Sentry docs"
+
+    [Security Policy Reporting](https://docs.sentry.io/product/security-policy-reporting/)
+
+Collect information on Content-Security-Policy (CSP) violations. Read more about [CSP configuration in Benefits](./content-security-policy.md).
+
+To enable report collection, set this env var to the authenticated Sentry endpoint.
+
+### `SENTRY_TRACES_SAMPLE_RATE`
+
+!!! tldr "Sentry docs"
+
+    [`traces_sample_rate`](https://docs.sentry.io/platforms/python/configuration/sampling/#configuring-the-transaction-sample-rate)
+
+Control the volume of transactions sent to Sentry. Value must be a float in the range `[0.0, 1.0]`.
+
+The default is `0.0` (i.e. no transactions are tracked).
+
 [app-service-config]: https://docs.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal
 [getting-started_create-env]: ../getting-started/README.md#create-an-environment-file
diff --git a/docs/configuration/rate-limit.md b/docs/configuration/rate-limit.md
index 8dad3af27..c1fad33b9 100644
--- a/docs/configuration/rate-limit.md
+++ b/docs/configuration/rate-limit.md
@@ -1,47 +1,56 @@
 # Configuring Rate Limiting
 
-The benefits application has a simple, single-configuration Rate Limit feature that acts per-session to limit the
-number of consecutive requests in a given time period.
+The benefits application has a simple, single-configuration Rate Limit that acts
+per-IP to limit the number of consecutive requests in a given time period, via
+nginx [`limit_req_zone`](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone)
+and [`limit_req`](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req) directives.
 
-## Applying to Django code
+The configured rate limit is 12 requests/minute, or 1 request/5 seconds:
 
-The [`RateLimit` middleware][benefits-middleware] can be installed globally for all requests with the
-[`MIDDLEWARE` setting][django-middleware], or per-view with a function decorator.
-
-The latter approach is how the Benefits application rate-limits the Eligibility verification form (which is shown on the
-`confirm` route/view):
-
-```python
-from django.utils.decorators import decorator_from_middleware
-
-from benefits.core.middleware import RateLimit
-
-
-@decorator_from_middleware(RateLimit)
-def confirm(request):
-    """View handler for the eligibility verification form."""
-    # ...
+```nginx
+limit_req_zone $limit zone=rate_limit:10m rate=12r/m;
 ```
 
-## Environment variables
+## HTTP method selection
 
-!!! warning
+An NGINX [map](http://nginx.org/en/docs/http/ngx_http_map_module.html#map)
+variable lists HTTP methods that will be rate limited:
 
-    The following environment variables are all required to activate the Rate Limit feature
+```nginx
+map $request_method $limit {
+    default         "";
+    POST            $binary_remote_addr;
+}
+```
 
-### `DJANGO_RATE_LIMIT`
+The `default` means don't apply a rate limit.
 
-Number of requests allowed in the given [`DJANGO_RATE_LIMIT_PERIOD`](#DJANGO_RATE_LIMIT_PERIOD).
+To add a new method, add a new line:
 
-Must be greater than `0`.
+```nginx
+map $request_method $limit {
+    default         "";
+    OPTIONS         $binary_remote_addr;
+    POST            $binary_remote_addr;
+}
+```
 
-### `DJANGO_RATE_LIMIT_METHODS`
+## App path selection
 
-Comma-separated list of HTTP Methods for which requests are rate limited.
+The `limit_req` is applied to an NGINX [`location`](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) block with a case-insensitive regex to match paths:
 
-### `DJANGO_RATE_LIMIT_PERIOD`
+```nginx
+location ~* ^/(eligibility/confirm)$ {
+    limit_req zone=rate_limit;
+    # config...
+}
+```
 
-Number of seconds before additional requests are denied.
+To add a new path, add a regex OR `|` with the new path (omitting the leading slash):
 
-[benefits-middleware]: https://github.com/cal-itp/benefits/blob/dev/benefits/core/middleware.py
-[django-middleware]: https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-MIDDLEWARE
+```nginx
+location ~* ^/(eligibility/confirm|new/path)$ {
+    limit_req zone=rate_limit;
+    # config...
+}
+```
diff --git a/docs/deployment/infrastructure.md b/docs/deployment/infrastructure.md
index 954457a17..97afea83e 100644
--- a/docs/deployment/infrastructure.md
+++ b/docs/deployment/infrastructure.md
@@ -8,18 +8,18 @@ The infrastructure is configured as code via [Terraform](https://www.terraform.i
 
 ```mermaid
 flowchart LR
-    %% DMV integration is currently disabled, hence the lines commented out below
-
-    %% dmv[DMV Eligibility Verification API]
     benefits[Benefits application]
     style benefits stroke-width:5px
     recaptcha[Google reCAPTCHA]
     rider((User's browser))
     idg[Identity Gateway]
-    mst_elig[Eligibility Server]
-    cc_data[(Courtesy Card data)]
+    elig_server[Eligibility Server]
+    ac_data[(Agency Card data)]
     cookies[(Cookies)]
 
+    benefits -->|Errors| sentry
+    elig_server -->|Errors| sentry
+
     rider --> benefits
     rider -->|Credentials and identity proofing| Login.gov
     rider --> recaptcha
@@ -29,13 +29,12 @@ flowchart LR
 
     benefits --> idg
     benefits <--> recaptcha
-    %% benefits --> dmv
     benefits -->|Events| Amplitude
     benefits -->|Group enrollment| Littlepay
-    benefits --> mst_elig
+    benefits --> elig_server
 
-    subgraph "MST (Courtesy Cards)"
-    mst_elig --> cc_data
+    subgraph "Agency Cards (e.g. MST Courtesy Cards)"
+    elig_server --> ac_data
     end
 
     idg --> Login.gov
diff --git a/docs/use-cases/agency-cards.md b/docs/use-cases/agency-cards.md
new file mode 100644
index 000000000..af586a457
--- /dev/null
+++ b/docs/use-cases/agency-cards.md
@@ -0,0 +1,72 @@
+# Agency Cards
+
+_Agency Cards_ is a generic term for reduced fare programs offered by Transit Providers, such as the
+[Courtesy Card program from Monterey-Salinas Transit (MST)](https://mst.org/riders-guide/how-to-ride/courtesy-card/).
+
+Agency cards are different from our other use cases in that eligibility verification happens on the agency side (offline) rather
+than through the Benefits app, and the Benefits app then checks for a valid Agency Card via an [Eligibility API call](https://docs.calitp.org/eligibility-api/specification/).
+
+## Architecture
+
+In order to support an Agency Cards deployment, the Transit Provider produces a list of eligible users
+(CSV format) that is loaded into an instance of [Eligibility Server](https://docs.calitp.org/eligibility-server/) running in the Transit Provider's cloud.
+
+Cal-ITP makes the [`hashfields` tool](https://docs.calitp.org/hashfields) to facilitate masking user data before it leaves Transit Provider on-premises systems.
+
+The complete system architecture looks like:
+
+```mermaid
+flowchart LR
+    rider((User's browser))
+    api[Eligibility Server]
+    data[Hashed Agency Card data]
+    cardsystem[Data source]
+
+    rider --> Benefits
+
+    subgraph CDT Azure
+        Benefits
+    end
+
+    Benefits --> api
+
+    subgraph Transit Provider cloud
+        api --> data
+    end
+
+    subgraph Transit Provider on-prem
+        cardsystem --> hashfields
+    end
+
+    hashfields --> data
+```
+
+Notes:
+
+- [Eligibility Server source code](https://github.com/cal-itp/eligibility-server)
+- [hashfields source code](https://github.com/cal-itp/hashfields)
+- [More details about the Benefits architecture](../../deployment/infrastructure/#architecture)
+- In MST, the `Data Source` is Velocity, the system MST uses to manage and print Courtesy Cards
+
+## Process
+
+```mermaid
+sequenceDiagram
+    actor Rider
+    participant Benefits as Benefits app
+    participant elig_server as Eligibility Server
+    participant cc_data as Hashed data
+    participant Data Source
+    participant Littlepay
+
+    Data Source-->>cc_data: exports nightly
+    cc_data-->>elig_server: gets loaded on Server start
+
+    Rider->>Benefits: visits site
+    Benefits-->>elig_server: passes entered Agency Card details
+    elig_server-->>Benefits: confirms eligibility
+
+    Benefits-->>Littlepay: enrollment start
+    Rider->>Littlepay: enters payment card details
+    Littlepay-->>Benefits: enrollment complete
+```
diff --git a/docs/use-cases/courtesy-cards.md b/docs/use-cases/courtesy-cards.md
deleted file mode 100644
index d4122cc53..000000000
--- a/docs/use-cases/courtesy-cards.md
+++ /dev/null
@@ -1,60 +0,0 @@
-# Courtesy Cards
-
-Courtesy Cards are [a reduced fare program from Monterey-Salinas Transit (MST)](https://mst.org/riders-guide/how-to-ride/courtesy-card/). We more generically refer to these "agency cards", in that they are issued by a transit agency. They are different from our other use cases in that eligibility verification happens on the agency side (offline) rather than through the Benefits app, and the Benefits app then checks for a valid Courtesy Card via an [Eligibility API call](https://docs.calitp.org/eligibility-api/specification/).
-
-## Architecture
-
-```mermaid
-flowchart LR
-    rider((User's browser))
-    api[Eligibility Server]
-    data[Hashed Courtesy Card data]
-    velocity[SQL Server]
-
-    rider --> Benefits
-
-    subgraph CDT Azure
-        Benefits
-    end
-
-    Benefits --> api
-
-    subgraph MST Azure
-        api --> data
-    end
-
-    subgraph MST Velocity
-        velocity --> hashfields
-    end
-
-    hashfields --> data
-```
-
-Notes:
-
-- [Eligibility Server documentation](https://docs.calitp.org/eligibility-server/)
-- [More details about the Benefits architecture](../deployment/infrastructure/#architecture)
-- Velocity is the system MST uses to manage Courtesy Cards
-
-## Process
-
-```mermaid
-sequenceDiagram
-    actor Rider
-    participant Benefits as Benefits app
-    participant elig_server as Eligibility Server
-    participant cc_data as Hashed data
-    participant Velocity
-    participant Littlepay
-
-    Velocity-->>cc_data: exports nightly
-    cc_data-->>elig_server: gets loaded on Server start
-
-    Rider->>Benefits: visits site
-    Benefits-->>elig_server: passes entered Courtesy Card details
-    elig_server-->>Benefits: confirms eligibility
-
-    Benefits-->>Littlepay: enrollment start
-    Rider->>Littlepay: enters payment card details
-    Littlepay-->>Benefits: enrollment complete
-```
diff --git a/mkdocs.yml b/mkdocs.yml
index 2697220ff..7ea374833 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -39,6 +39,7 @@ plugins:
         "getting-started/development.md": "development/README.md"
         "getting-started/docker-dynamic-ports.md": "development/docker-dynamic-ports.md"
         "students.md": "use-cases/college.md"
+        "use-cases/courtesy-cards.md": "use-cases/agency-cards.md"
         "use-cases/students.md": "use-cases/college.md"
 
 extra_css:
diff --git a/pyproject.toml b/pyproject.toml
index 08fb8aad4..f95e11102 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,17 +1,53 @@
-# NOTE: you have to use single-quoted strings in TOML for regular expressions.
-# It's the equivalent of r-strings in Python.  Multiline strings are treated as
-# verbose regular expressions by Black.  Use [ ] to denote a significant space
-# character.
+[build-system]
+requires = ["setuptools>=64", "wheel"]
+build-backend = "setuptools.build_meta"
 
-# Configuration for black
+[project]
+classifiers = ["Programming Language :: Python :: 3 :: Only"]
+description = "Cal-ITP Benefits is an application that enables automated eligibility verification and enrollment for transit benefits onto customers’ existing contactless bank (credit/debit) cards."
+dependencies = [
+    "Authlib==1.2.0",
+    "Django==4.2",
+    "django-csp==3.7",
+    "eligibility-api==2023.01.1",
+    "requests==2.28.2",
+    "sentry-sdk==1.19.1",
+    "six==1.16.0",
+]
+dynamic = ["version"]
+keywords = ["django"]
+license = { file = "LICENSE" }
+name = "benefits"
+readme = "README.md"
+requires-python = ">=3.9"
+
+[project.optional-dependencies]
+dev = [
+    "black",
+    "djlint",
+    "flake8",
+    "pre-commit",
+]
+test = [
+    "pytest",
+    "pytest-cov",
+    "pytest-django",
+    "pytest-mock",
+    "pytest-socket",
+]
 
+[project.urls]
+Code = "https://github.com/cal-itp/benefits"
+Documentation = "https://docs.calitp.org/benefits"
+Issues = "https://github.com/cal-itp/benefits/issues"
+
+# Configuration for black
 [tool.black]
 line-length = 127
 target-version = ['py310']
 include = '\.pyi?$'
 
 # Configuration for djlint
-
 [tool.djlint]
 ignore = "H017,H031"
 indent = 2
@@ -22,7 +58,6 @@ preserve_blank_lines = true
 use_gitignore = true
 
 # Configuration for pytest
-
 [tool.coverage.run]
 omit = [
     "benefits/core/migrations/*"
@@ -33,3 +68,6 @@ DJANGO_SETTINGS_MODULE = "benefits.settings"
 markers = [
     "request_path: use with session_request to initialize with the given path",
 ]
+
+[tool.setuptools]
+packages = ["benefits"]
diff --git a/terraform/app_service.tf b/terraform/app_service.tf
index 03e733b7b..42bab779f 100644
--- a/terraform/app_service.tf
+++ b/terraform/app_service.tf
@@ -58,14 +58,10 @@ resource "azurerm_linux_web_app" "main" {
     "ANALYTICS_KEY" = local.is_dev ? null : "${local.secret_prefix}analytics-key)",
 
     # Django settings
-    "DJANGO_ADMIN"            = (local.is_prod || local.is_test) ? null : "${local.secret_prefix}django-admin)",
-    "DJANGO_ALLOWED_HOSTS"    = "${local.secret_prefix}django-allowed-hosts)",
-    "DJANGO_DEBUG"            = local.is_prod ? null : "${local.secret_prefix}django-debug)",
-    "DJANGO_LOG_LEVEL"        = "${local.secret_prefix}django-log-level)",
-
-    "DJANGO_RATE_LIMIT"         = local.is_dev ? null : "${local.secret_prefix}django-rate-limit)",
-    "DJANGO_RATE_LIMIT_METHODS" = local.is_dev ? null : "${local.secret_prefix}django-rate-limit-methods)",
-    "DJANGO_RATE_LIMIT_PERIOD"  = local.is_dev ? null : "${local.secret_prefix}django-rate-limit-period)",
+    "DJANGO_ADMIN"         = (local.is_prod || local.is_test) ? null : "${local.secret_prefix}django-admin)",
+    "DJANGO_ALLOWED_HOSTS" = "${local.secret_prefix}django-allowed-hosts)",
+    "DJANGO_DEBUG"         = local.is_prod ? null : "${local.secret_prefix}django-debug)",
+    "DJANGO_LOG_LEVEL"     = "${local.secret_prefix}django-log-level)",
 
     "DJANGO_RECAPTCHA_SECRET_KEY" = local.is_dev ? null : "${local.secret_prefix}django-recaptcha-secret-key)",
     "DJANGO_RECAPTCHA_SITE_KEY"   = local.is_dev ? null : "${local.secret_prefix}django-recaptcha-site-key)",
@@ -76,49 +72,62 @@ resource "azurerm_linux_web_app" "main" {
     "HEALTHCHECK_USER_AGENTS" = local.is_dev ? null : "${local.secret_prefix}healthcheck-user-agents)",
 
     # Sentry
-    "SENTRY_DSN"         = "${local.secret_prefix}sentry-dsn)",
-    "SENTRY_ENVIRONMENT" = local.env_name,
+    "SENTRY_DSN"                = "${local.secret_prefix}sentry-dsn)",
+    "SENTRY_ENVIRONMENT"        = local.env_name,
+    "SENTRY_REPORT_URI"         = "${local.secret_prefix}sentry-report-uri)",
+    "SENTRY_TRACES_SAMPLE_RATE" = "${local.secret_prefix}sentry-traces-sample-rate)",
 
     # Environment variables for data migration
-    "MST_SENIOR_GROUP_ID"                            = "${local.secret_prefix}mst-senior-group-id)",
-    "MST_COURTESY_CARD_GROUP_ID"                     = "${local.secret_prefix}mst-courtesy-card-group-id)"
-    "SACRT_SENIOR_GROUP_ID"                          = "${local.secret_prefix}sacrt-senior-group-id)"
-    "CLIENT_PRIVATE_KEY"                             = "${local.secret_prefix}client-private-key)"
-    "CLIENT_PUBLIC_KEY"                              = "${local.secret_prefix}client-public-key)"
-    "SERVER_PUBLIC_KEY_URL"                          = "${local.secret_prefix}server-public-key-url)"
-    "PAYMENT_PROCESSOR_CLIENT_CERT"                  = "${local.secret_prefix}payment-processor-client-cert)"
-    "PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"      = "${local.secret_prefix}payment-processor-client-cert-private-key)"
-    "PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"          = "${local.secret_prefix}payment-processor-client-cert-root-ca)"
-    "AUTH_PROVIDER_CLIENT_NAME"                      = "${local.secret_prefix}auth-provider-client-name)"
-    "AUTH_PROVIDER_CLIENT_ID"                        = "${local.secret_prefix}auth-provider-client-id)"
-    "AUTH_PROVIDER_AUTHORITY"                        = "${local.secret_prefix}auth-provider-authority)"
-    "AUTH_PROVIDER_SCOPE"                            = "${local.secret_prefix}auth-provider-scope)"
-    "AUTH_PROVIDER_CLAIM"                            = "${local.secret_prefix}auth-provider-claim)"
-    "MST_OAUTH_VERIFIER_NAME"                        = "${local.secret_prefix}mst-oauth-verifier-name)"
-    "COURTESY_CARD_VERIFIER"                         = "${local.secret_prefix}courtesy-card-verifier)"
-    "COURTESY_CARD_VERIFIER_API_URL"                 = "${local.secret_prefix}courtesy-card-verifier-api-url)"
-    "COURTESY_CARD_VERIFIER_API_AUTH_HEADER"         = "${local.secret_prefix}courtesy-card-verifier-api-auth-header)"
-    "COURTESY_CARD_VERIFIER_API_AUTH_KEY"            = "${local.secret_prefix}courtesy-card-verifier-api-auth-key)"
-    "COURTESY_CARD_VERIFIER_JWE_CEK_ENC"             = "${local.secret_prefix}courtesy-card-verifier-jwe-cek-enc)"
-    "COURTESY_CARD_VERIFIER_JWE_ENCRYPTION_ALG"      = "${local.secret_prefix}courtesy-card-verifier-jwe-encryption-alg)"
-    "COURTESY_CARD_VERIFIER_JWS_SIGNING_ALG"         = "${local.secret_prefix}courtesy-card-verifier-jws-signing-alg)"
-    "SACRT_OAUTH_VERIFIER_NAME"                      = "${local.secret_prefix}sacrt-oauth-verifier-name)"
-    "PAYMENT_PROCESSOR_NAME"                         = "${local.secret_prefix}payment-processor-name)"
-    "PAYMENT_PROCESSOR_API_BASE_URL"                 = "${local.secret_prefix}payment-processor-api-base-url)"
-    "PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"    = "${local.secret_prefix}payment-processor-api-access-token-endpoint)"
-    "PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY" = "${local.secret_prefix}payment-processor-api-access-token-request-key)"
-    "PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL" = "${local.secret_prefix}payment-processor-api-access-token-request-val)"
-    "PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"            = "${local.secret_prefix}payment-processor-card-tokenize-url)"
-    "PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"           = "${local.secret_prefix}payment-processor-card-tokenize-func)"
-    "PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"            = "${local.secret_prefix}payment-processor-card-tokenize-env)"
-    "MST_AGENCY_SHORT_NAME"                          = "${local.secret_prefix}mst-agency-short-name)"
-    "MST_AGENCY_LONG_NAME"                           = "${local.secret_prefix}mst-agency-long-name)"
-    "MST_AGENCY_JWS_SIGNING_ALG"                     = "${local.secret_prefix}mst-agency-jws-signing-alg)"
-    "SACRT_AGENCY_SHORT_NAME"                        = "${local.secret_prefix}sacrt-agency-short-name)"
-    "SACRT_AGENCY_LONG_NAME"                         = "${local.secret_prefix}sacrt-agency-long-name)"
-    "SACRT_AGENCY_MERCHANT_ID"                       = "${local.secret_prefix}sacrt-agency-merchant-id)"
-    "SACRT_AGENCY_ACTIVE"                            = "${local.secret_prefix}sacrt-agency-active)"
-    "SACRT_AGENCY_JWS_SIGNING_ALG"                   = "${local.secret_prefix}sacrt-agency-jws-signing-alg)"
+    "MST_SENIOR_GROUP_ID"                                  = "${local.secret_prefix}mst-senior-group-id)",
+    "MST_COURTESY_CARD_GROUP_ID"                           = "${local.secret_prefix}mst-courtesy-card-group-id)"
+    "SACRT_SENIOR_GROUP_ID"                                = "${local.secret_prefix}sacrt-senior-group-id)"
+    "CLIENT_PRIVATE_KEY"                                   = "${local.secret_prefix}client-private-key)"
+    "CLIENT_PUBLIC_KEY"                                    = "${local.secret_prefix}client-public-key)"
+    "SERVER_PUBLIC_KEY_URL"                                = "${local.secret_prefix}server-public-key-url)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT"                    = "${local.secret_prefix}mst-payment-processor-client-cert)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"        = "${local.secret_prefix}mst-payment-processor-client-cert-private-key)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"            = "${local.secret_prefix}mst-payment-processor-client-cert-root-ca)"
+    "SACRT_PAYMENT_PROCESSOR_CLIENT_CERT"                  = "${local.secret_prefix}sacrt-payment-processor-client-cert)"
+    "SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"      = "${local.secret_prefix}sacrt-payment-processor-client-cert-private-key)"
+    "SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"          = "${local.secret_prefix}sacrt-payment-processor-client-cert-root-ca)"
+    "AUTH_PROVIDER_CLIENT_NAME"                            = "${local.secret_prefix}auth-provider-client-name)"
+    "AUTH_PROVIDER_CLIENT_ID"                              = "${local.secret_prefix}auth-provider-client-id)"
+    "AUTH_PROVIDER_AUTHORITY"                              = "${local.secret_prefix}auth-provider-authority)"
+    "AUTH_PROVIDER_SCOPE"                                  = "${local.secret_prefix}auth-provider-scope)"
+    "AUTH_PROVIDER_CLAIM"                                  = "${local.secret_prefix}auth-provider-claim)"
+    "MST_OAUTH_VERIFIER_NAME"                              = "${local.secret_prefix}mst-oauth-verifier-name)"
+    "COURTESY_CARD_VERIFIER"                               = "${local.secret_prefix}courtesy-card-verifier)"
+    "COURTESY_CARD_VERIFIER_API_URL"                       = "${local.secret_prefix}courtesy-card-verifier-api-url)"
+    "COURTESY_CARD_VERIFIER_API_AUTH_HEADER"               = "${local.secret_prefix}courtesy-card-verifier-api-auth-header)"
+    "COURTESY_CARD_VERIFIER_API_AUTH_KEY"                  = "${local.secret_prefix}courtesy-card-verifier-api-auth-key)"
+    "COURTESY_CARD_VERIFIER_JWE_CEK_ENC"                   = "${local.secret_prefix}courtesy-card-verifier-jwe-cek-enc)"
+    "COURTESY_CARD_VERIFIER_JWE_ENCRYPTION_ALG"            = "${local.secret_prefix}courtesy-card-verifier-jwe-encryption-alg)"
+    "COURTESY_CARD_VERIFIER_JWS_SIGNING_ALG"               = "${local.secret_prefix}courtesy-card-verifier-jws-signing-alg)"
+    "SACRT_OAUTH_VERIFIER_NAME"                            = "${local.secret_prefix}sacrt-oauth-verifier-name)"
+    "MST_PAYMENT_PROCESSOR_NAME"                           = "${local.secret_prefix}mst-payment-processor-name)"
+    "MST_PAYMENT_PROCESSOR_API_BASE_URL"                   = "${local.secret_prefix}mst-payment-processor-api-base-url)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"      = "${local.secret_prefix}mst-payment-processor-api-access-token-endpoint)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY"   = "${local.secret_prefix}mst-payment-processor-api-access-token-request-key)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL"   = "${local.secret_prefix}mst-payment-processor-api-access-token-request-val)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"              = "${local.secret_prefix}mst-payment-processor-card-tokenize-url)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"             = "${local.secret_prefix}mst-payment-processor-card-tokenize-func)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"              = "${local.secret_prefix}mst-payment-processor-card-tokenize-env)"
+    "SACRT_PAYMENT_PROCESSOR_NAME"                         = "${local.secret_prefix}sacrt-payment-processor-name)"
+    "SACRT_PAYMENT_PROCESSOR_API_BASE_URL"                 = "${local.secret_prefix}sacrt-payment-processor-api-base-url)"
+    "SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"    = "${local.secret_prefix}sacrt-payment-processor-api-access-token-endpoint)"
+    "SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY" = "${local.secret_prefix}sacrt-payment-processor-api-access-token-request-key)"
+    "SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL" = "${local.secret_prefix}sacrt-payment-processor-api-access-token-request-val)"
+    "SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"            = "${local.secret_prefix}sacrt-payment-processor-card-tokenize-url)"
+    "SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"           = "${local.secret_prefix}sacrt-payment-processor-card-tokenize-func)"
+    "SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"            = "${local.secret_prefix}sacrt-payment-processor-card-tokenize-env)"
+    "MST_AGENCY_SHORT_NAME"                                = "${local.secret_prefix}mst-agency-short-name)"
+    "MST_AGENCY_LONG_NAME"                                 = "${local.secret_prefix}mst-agency-long-name)"
+    "MST_AGENCY_JWS_SIGNING_ALG"                           = "${local.secret_prefix}mst-agency-jws-signing-alg)"
+    "SACRT_AGENCY_SHORT_NAME"                              = "${local.secret_prefix}sacrt-agency-short-name)"
+    "SACRT_AGENCY_LONG_NAME"                               = "${local.secret_prefix}sacrt-agency-long-name)"
+    "SACRT_AGENCY_MERCHANT_ID"                             = "${local.secret_prefix}sacrt-agency-merchant-id)"
+    "SACRT_AGENCY_ACTIVE"                                  = "${local.secret_prefix}sacrt-agency-active)"
+    "SACRT_AGENCY_JWS_SIGNING_ALG"                         = "${local.secret_prefix}sacrt-agency-jws-signing-alg)"
   }
 
   lifecycle {
diff --git a/tests/cypress/package-lock.json b/tests/cypress/package-lock.json
index 55f2253d6..bc1a942d8 100644
--- a/tests/cypress/package-lock.json
+++ b/tests/cypress/package-lock.json
@@ -9,7 +9,7 @@
       "version": "1.0.0",
       "license": "AGPL-3.0-or-later",
       "devDependencies": {
-        "cypress": "^12.9.0"
+        "cypress": "^12.10.0"
       }
     },
     "node_modules/@colors/colors": {
@@ -479,9 +479,9 @@
       }
     },
     "node_modules/commander": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-5.1.0.tgz",
-      "integrity": "sha512-P0CysNDQ7rtVw4QIQtm+MRxV66vKFSvlsQvGYXZWR3qFU0jlMKHZZZgw8e+8DSah4UDKMqnknRDQz+xuQXQ/Zg==",
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-6.2.1.tgz",
+      "integrity": "sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==",
       "dev": true,
       "engines": {
         "node": ">= 6"
@@ -523,9 +523,9 @@
       }
     },
     "node_modules/cypress": {
-      "version": "12.9.0",
-      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.9.0.tgz",
-      "integrity": "sha512-Ofe09LbHKgSqX89Iy1xen2WvpgbvNxDzsWx3mgU1mfILouELeXYGwIib3ItCwoRrRifoQwcBFmY54Vs0zw7QCg==",
+      "version": "12.10.0",
+      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.10.0.tgz",
+      "integrity": "sha512-Y0wPc221xKKW1/4iAFCphkrG2jNR4MjOne3iGn4mcuCaE7Y5EtXL83N8BzRsAht7GYfWVjJ/UeTqEdDKHz39HQ==",
       "dev": true,
       "hasInstallScript": true,
       "dependencies": {
@@ -543,7 +543,7 @@
         "check-more-types": "^2.24.0",
         "cli-cursor": "^3.1.0",
         "cli-table3": "~0.6.1",
-        "commander": "^5.1.0",
+        "commander": "^6.2.1",
         "common-tags": "^1.8.0",
         "dayjs": "^1.10.4",
         "debug": "^4.3.4",
@@ -561,7 +561,7 @@
         "listr2": "^3.8.3",
         "lodash": "^4.17.21",
         "log-symbols": "^4.0.0",
-        "minimist": "^1.2.6",
+        "minimist": "^1.2.8",
         "ospath": "^1.2.2",
         "pretty-bytes": "^5.6.0",
         "proxy-from-env": "1.0.0",
@@ -1280,10 +1280,13 @@
       }
     },
     "node_modules/minimist": {
-      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
-      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
-      "dev": true
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
     },
     "node_modules/ms": {
       "version": "2.1.2",
@@ -2167,9 +2170,9 @@
       }
     },
     "commander": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-5.1.0.tgz",
-      "integrity": "sha512-P0CysNDQ7rtVw4QIQtm+MRxV66vKFSvlsQvGYXZWR3qFU0jlMKHZZZgw8e+8DSah4UDKMqnknRDQz+xuQXQ/Zg==",
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-6.2.1.tgz",
+      "integrity": "sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==",
       "dev": true
     },
     "common-tags": {
@@ -2202,9 +2205,9 @@
       }
     },
     "cypress": {
-      "version": "12.9.0",
-      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.9.0.tgz",
-      "integrity": "sha512-Ofe09LbHKgSqX89Iy1xen2WvpgbvNxDzsWx3mgU1mfILouELeXYGwIib3ItCwoRrRifoQwcBFmY54Vs0zw7QCg==",
+      "version": "12.10.0",
+      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.10.0.tgz",
+      "integrity": "sha512-Y0wPc221xKKW1/4iAFCphkrG2jNR4MjOne3iGn4mcuCaE7Y5EtXL83N8BzRsAht7GYfWVjJ/UeTqEdDKHz39HQ==",
       "dev": true,
       "requires": {
         "@cypress/request": "^2.88.10",
@@ -2221,7 +2224,7 @@
         "check-more-types": "^2.24.0",
         "cli-cursor": "^3.1.0",
         "cli-table3": "~0.6.1",
-        "commander": "^5.1.0",
+        "commander": "^6.2.1",
         "common-tags": "^1.8.0",
         "dayjs": "^1.10.4",
         "debug": "^4.3.4",
@@ -2239,7 +2242,7 @@
         "listr2": "^3.8.3",
         "lodash": "^4.17.21",
         "log-symbols": "^4.0.0",
-        "minimist": "^1.2.6",
+        "minimist": "^1.2.8",
         "ospath": "^1.2.2",
         "pretty-bytes": "^5.6.0",
         "proxy-from-env": "1.0.0",
@@ -2770,9 +2773,9 @@
       }
     },
     "minimist": {
-      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
-      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
       "dev": true
     },
     "ms": {
diff --git a/tests/cypress/package.json b/tests/cypress/package.json
index 29eb4e440..6e77d1306 100644
--- a/tests/cypress/package.json
+++ b/tests/cypress/package.json
@@ -12,6 +12,6 @@
   "license": "AGPL-3.0-or-later",
   "private": true,
   "devDependencies": {
-    "cypress": "^12.9.0"
+    "cypress": "^12.10.0"
   }
 }
diff --git a/tests/cypress/specs/helpers.js b/tests/cypress/plugins/helpers.js
similarity index 76%
rename from tests/cypress/specs/helpers.js
rename to tests/cypress/plugins/helpers.js
index 1d037d2a2..f241bcdb8 100644
--- a/tests/cypress/specs/helpers.js
+++ b/tests/cypress/plugins/helpers.js
@@ -2,6 +2,15 @@ const agencies = require("../fixtures/transit-agencies");
 
 const agency = agencies[0].fields;
 
+// from nginx.conf
+export const RATE_LIMIT = 12;
+// 12 requests/minute ==> 5 seconds in milliseconds
+export const WAIT_TIME = (60 / RATE_LIMIT) * 1000;
+
+export const rateLimitWait = () => {
+  cy.wait(WAIT_TIME);
+};
+
 export const selectAgency = () => {
   cy.location("pathname").should("eq", "/");
 
diff --git a/tests/cypress/plugins/index.js b/tests/cypress/plugins/index.js
index bfc8527a1..ffe5b1bb4 100644
--- a/tests/cypress/plugins/index.js
+++ b/tests/cypress/plugins/index.js
@@ -1,8 +1,6 @@
 module.exports = (on, config) => {
   // add OS environment variables into Cypress.env
   config.env = config.env || {};
-  config.env.DJANGO_RATE_LIMIT = process.env.DJANGO_RATE_LIMIT;
-  config.env.DJANGO_RATE_LIMIT_PERIOD = process.env.DJANGO_RATE_LIMIT_PERIOD;
 
   return config;
 };
diff --git a/tests/cypress/specs/benefit-select.cy.js b/tests/cypress/specs/benefit-select.cy.js
index cfbf72db7..47a6ea69b 100644
--- a/tests/cypress/specs/benefit-select.cy.js
+++ b/tests/cypress/specs/benefit-select.cy.js
@@ -1,4 +1,4 @@
-const helpers = require("./helpers");
+const helpers = require("../plugins/helpers");
 
 const verifier_selection_url = "/eligibility";
 
diff --git a/tests/cypress/specs/courtesy-cards.cy.js b/tests/cypress/specs/courtesy-cards.cy.js
index 4b8298571..6015dad44 100644
--- a/tests/cypress/specs/courtesy-cards.cy.js
+++ b/tests/cypress/specs/courtesy-cards.cy.js
@@ -1,4 +1,4 @@
-const helpers = require("./helpers");
+const helpers = require("../plugins/helpers");
 const users = require("../fixtures/users.json");
 
 describe("Courtesy Cards", () => {
@@ -10,6 +10,8 @@ describe("Courtesy Cards", () => {
   });
 
   it("Confirms an eligible user", () => {
+    helpers.rateLimitWait();
+
     cy.get("#sub").type(users.eligible.sub);
     cy.get("#name").type(users.eligible.name);
     cy.get("#form-eligibility-verification button[type='submit']").click();
@@ -18,6 +20,8 @@ describe("Courtesy Cards", () => {
   });
 
   it("Rejects an ineligible user", () => {
+    helpers.rateLimitWait();
+
     cy.get("#sub").type(users.ineligible.sub);
     cy.get("#name").type(users.ineligible.name);
     cy.get("#form-eligibility-verification button[type='submit']").click();
diff --git a/tests/cypress/specs/rate-limit.cy.js b/tests/cypress/specs/rate-limit.cy.js
index a29a7d5d8..bfc534de6 100644
--- a/tests/cypress/specs/rate-limit.cy.js
+++ b/tests/cypress/specs/rate-limit.cy.js
@@ -1,34 +1,22 @@
-const agencies = require("../fixtures/transit-agencies");
 const users = require("../fixtures/users.json");
+const helpers = require("../plugins/helpers");
 const { eligibility_url, post_confirm } = require("../plugins/eligibility");
 
+const SUCCESS_STATUS = 302;
+const FAIL_STATUS = 503;
+
 describe("Rate limiting feature spec", () => {
   beforeEach(() => {
     cy.visit("/");
 
-    // agency selection
-    cy.contains("Choose Your Provider").click();
-    cy.contains(agencies[0].fields.long_name).click();
-
-    // select Courtesy Card
-    // TODO find a more robust way to do this
-    cy.get('#form-verifier-selection [type="radio"]').check("2");
-    cy.get("#form-verifier-selection button[type='submit']").click();
-    cy.contains("Continue").click();
+    helpers.selectAgency();
+    helpers.selectCourtesyCard();
   });
 
   it("Limits excess requests", () => {
     const sub = users.ineligible.sub;
     const name = users.ineligible.name;
 
-    // start by making 5 times as many requests as allowed
-    // these should match the defaults in settings.py
-    const RATE_LIMIT = 5;
-    const N_REQUESTS = RATE_LIMIT * 5;
-    const RATE_LIMIT_PERIOD = 60;
-
-    const SUCCESS_STATUS = 302;
-
     // csrfmiddlewaretoken value needed to enable automated form submissions
     // there could be multiple forms on the page, so get() the one with the
     // action we are interested in
@@ -36,29 +24,41 @@ describe("Rate limiting feature spec", () => {
       .find("input[name='csrfmiddlewaretoken']")
       .invoke("attr", "value")
       .then((csrfmiddlewaretoken) => {
-        // make excess requests
-        for (let i = 0; i < N_REQUESTS; i++) {
-          // continue on non-successful status codes to check response
+        // make successive requests with no wait time
+        for (let i = 0; i < helpers.RATE_LIMIT; i++) {
           post_confirm(csrfmiddlewaretoken, sub, name, false).then((res) => {
-            if (i < RATE_LIMIT) {
-              // allow up to API_RATE_LIMIT requests
+            // the first request should succeed, subsequent should fail
+            if (i == 0) {
               expect(res.status).to.eq(SUCCESS_STATUS);
             } else {
-              // we've gone beyond API_RATE_LIMIT
-              expect(res.status).to.eq(400);
+              expect(res.status).to.eq(FAIL_STATUS);
+              expect(res.body).to.contain("nginx");
+              expect(res.body).not.to.contain("Return home");
             }
           });
         }
+      });
+  });
+
+  it("Allows requests with enough time in between", () => {
+    // start with a wait, since the previous test already triggered the limit
+    helpers.rateLimitWait();
 
-        // now wait for the rate limit to refresh
-        // Cypress expects milliseconds, the rate limit period is expressed in seconds
-        cy.wait(RATE_LIMIT_PERIOD * 1000);
+    const sub = users.ineligible.sub;
+    const name = users.ineligible.name;
 
-        // and try again with a reasonable number of requests
-        for (let i = 0; i < RATE_LIMIT - 1; i++) {
-          post_confirm(csrfmiddlewaretoken, sub, name, true).then((res) => {
-            // these requests should all succeed
+    // csrfmiddlewaretoken value needed to enable automated form submissions
+    // there could be multiple forms on the page, so get() the one with the
+    // action we are interested in
+    cy.get(`form[action='${eligibility_url}'`)
+      .find("input[name='csrfmiddlewaretoken']")
+      .invoke("attr", "value")
+      .then((csrfmiddlewaretoken) => {
+        // make successive requests with time in between
+        for (let i = 0; i < helpers.RATE_LIMIT; i++) {
+          post_confirm(csrfmiddlewaretoken, sub, name, false).then((res) => {
             expect(res.status).to.eq(SUCCESS_STATUS);
+            helpers.rateLimitWait();
           });
         }
       });
diff --git a/tests/cypress/specs/scrapers.cy.js b/tests/cypress/specs/scrapers.cy.js
new file mode 100644
index 000000000..bf0e59dc5
--- /dev/null
+++ b/tests/cypress/specs/scrapers.cy.js
@@ -0,0 +1,26 @@
+const endpoints = ["cgi", "eligibility/app", "sample/api"];
+const files = [".env", "wp-admin/login.php", "data.json", "secrets/prod.yaml"];
+const targets = endpoints.concat(files);
+
+const visit = (partial_path) => {
+  return cy.request({
+    method: "GET",
+    url: `/${partial_path}`,
+    // allow cypress to continue on 404
+    failOnStatusCode: false,
+  });
+};
+
+const NOT_FOUND = 404;
+
+describe("Scraper filtering spec", () => {
+  targets.forEach((target) => {
+    it(`nginx returns 404 for known scraper target pattern: /${target}`, () => {
+      visit(target).then((res) => {
+        expect(res.status).to.eq(NOT_FOUND);
+        expect(res.body).to.contain("nginx");
+        expect(res.body).not.to.contain("Cal-ITP");
+      });
+    });
+  });
+});
diff --git a/tests/cypress/specs/spanish.cy.js b/tests/cypress/specs/spanish.cy.js
index 80c3e2f86..6142011ec 100644
--- a/tests/cypress/specs/spanish.cy.js
+++ b/tests/cypress/specs/spanish.cy.js
@@ -1,4 +1,4 @@
-const helpers = require("./helpers");
+const helpers = require("../plugins/helpers");
 
 describe("Spanish language", () => {
   beforeEach(() => {
diff --git a/tests/pytest/core/test_middleware_healthcheck_user_agent.py b/tests/pytest/core/test_middleware_healthcheck_user_agent.py
index ae90c97d5..9a6f34ed8 100644
--- a/tests/pytest/core/test_middleware_healthcheck_user_agent.py
+++ b/tests/pytest/core/test_middleware_healthcheck_user_agent.py
@@ -3,14 +3,14 @@
 
 import pytest
 
-from benefits.core import session
+from benefits.core import middleware
 from benefits.core.views import ROUTE_INDEX, TEMPLATE_INDEX
 
 
 @pytest.mark.django_db
 @pytest.mark.parametrize("user_agent", ["AlwaysOn", "Edge Health Probe"])
 def test_healthcheck_user_agent(mocker, user_agent):
-    mocker.patch.object(session.settings, "HEALTHCHECK_USER_AGENTS", [user_agent])
+    mocker.patch.object(middleware.settings, "HEALTHCHECK_USER_AGENTS", [user_agent])
     client = Client(HTTP_USER_AGENT=user_agent)
 
     response = client.get(reverse(ROUTE_INDEX))
@@ -21,7 +21,7 @@ def test_healthcheck_user_agent(mocker, user_agent):
 
 @pytest.mark.django_db
 def test_non_healthcheck_user_agent(mocker, client):
-    mocker.patch.object(session.settings, "HEALTHCHECK_USER_AGENTS", ["AlwaysOn"])
+    mocker.patch.object(middleware.settings, "HEALTHCHECK_USER_AGENTS", ["AlwaysOn"])
 
     response = client.get(reverse(ROUTE_INDEX))
 
diff --git a/tests/pytest/core/test_session.py b/tests/pytest/core/test_session.py
index c7d0583a2..682c3d688 100644
--- a/tests/pytest/core/test_session.py
+++ b/tests/pytest/core/test_session.py
@@ -159,47 +159,6 @@ def test_oauth_token_default(app_request):
     assert not session.oauth_token(app_request)
 
 
-@pytest.mark.django_db
-def test_rate_limit_counter_default(app_request):
-    assert session.rate_limit_counter(app_request) == 0
-
-
-@pytest.mark.django_db
-def test_rate_limit_counter_increment(app_request):
-    session.reset_rate_limit(app_request)
-    session.increment_rate_limit_counter(app_request)
-
-    c1 = session.rate_limit_counter(app_request)
-    assert isinstance(c1, int)
-    assert c1 > 0
-
-    session.increment_rate_limit_counter(app_request)
-
-    c2 = session.rate_limit_counter(app_request)
-    assert c2 == c1 + 1
-
-
-@pytest.mark.django_db
-def test_rate_limit_reset(mocker, app_request):
-    mocker.patch.object(session.settings, "RATE_LIMIT_PERIOD", 100)
-    t0 = int(time.time())
-
-    session.reset_rate_limit(app_request)
-
-    assert session.rate_limit_counter(app_request) == 0
-    assert session.rate_limit_time(app_request) >= t0 + 100
-
-
-@pytest.mark.django_db
-def test_rate_limit_time_default(app_request):
-    # a reset session also resets rate limit time (t0), which should have already happened coming into this test
-    t0 = session.rate_limit_time(app_request)
-    t1 = int(time.time())
-
-    # rate limit expiry time should be in the future
-    assert t0 >= t1
-
-
 @pytest.mark.django_db
 def test_reset_agency(model_TransitAgency, app_request):
     session.update(app_request, agency=model_TransitAgency)
diff --git a/tests/pytest/eligibility/test_views.py b/tests/pytest/eligibility/test_views.py
index 4fd35aef3..2e93d6e40 100644
--- a/tests/pytest/eligibility/test_views.py
+++ b/tests/pytest/eligibility/test_views.py
@@ -50,13 +50,6 @@ def mocked_verifier_form(mocker):
     mocker.patch("benefits.eligibility.views.forms.EligibilityVerifierSelectionForm", return_value=mock_form)
 
 
-@pytest.fixture(autouse=True)
-def disable_rate_limit(mocker):
-    # override session rate limit handling for all tests
-    mock_settings = mocker.patch("benefits.core.middleware.settings")
-    mock_settings.RATE_LIMIT_ENABLED = False
-
-
 @pytest.mark.django_db
 @pytest.mark.usefixtures("mocked_session_agency")
 def test_index_get_agency_multiple_verifiers(
diff --git a/tests/pytest/requirements.txt b/tests/pytest/requirements.txt
deleted file mode 100644
index 4743c4a37..000000000
--- a/tests/pytest/requirements.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-pytest
-pytest-cov
-pytest-django
-pytest-mock
-pytest-socket
diff --git a/tests/pytest/test_sentry.py b/tests/pytest/test_sentry.py
index d369a8844..7307cc317 100644
--- a/tests/pytest/test_sentry.py
+++ b/tests/pytest/test_sentry.py
@@ -1,8 +1,11 @@
-from benefits import VERSION
-from benefits.sentry import get_release
 import os
 from tempfile import NamedTemporaryFile
 
+import pytest
+
+from benefits import VERSION
+from benefits.sentry import get_release, get_traces_sample_rate
+
 
 def test_git(mocker):
     mocker.patch("benefits.sentry.git_available", return_value=True)
@@ -45,3 +48,32 @@ def test_git_no_repo(mocker):
     mocker.patch("benefits.sentry.get_sha_file_path", return_value=file_path)
 
     assert get_release() == VERSION
+
+
+def test_traces_sample_rate_default():
+    rate = get_traces_sample_rate()
+    assert rate == 0.0
+
+
+@pytest.mark.parametrize("env_rate", ["0.0", "0.25", "0.99", "1.0"])
+def test_traces_sample_rate_valid_range(mocker, env_rate):
+    mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
+
+    rate = get_traces_sample_rate()
+    assert rate == float(env_rate)
+
+
+@pytest.mark.parametrize("env_rate", ["-1.0", "-0.1", "1.01", "2.0"])
+def test_traces_sample_rate_invalid_range(mocker, env_rate):
+    mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
+
+    rate = get_traces_sample_rate()
+    assert rate == 0.0
+
+
+@pytest.mark.parametrize("env_rate", ["zero", "one", "huh?"])
+def test_traces_sample_rate_not_float(mocker, env_rate):
+    mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
+
+    rate = get_traces_sample_rate()
+    assert rate == 0.0