diff --git a/PROGRESS.md b/PROGRESS.md
index 28eaeec..a711e3e 100644
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -29,6 +29,7 @@
 - New testing DB (`lomavuokraus_testing`) holds the previous staging/prod data; the main `lomavuokraus` DB was recreated clean with only the seeded admin user. Migration history was copied, and a schema snapshot lives at `docs/db-schema.sql`.
 - Testing environment wiring added: dedicated namespace (`lomavuokraus-test`), deploy wrapper (`deploy/deploy-test.sh`), API host support, and a DNS updater for `test.lomavuokraus.fi` / `apitest.lomavuokraus.fi`.
 - Access control tightened: middleware now gates admin routes, admin-only pages check session/role, API handlers return proper 401/403, and listing removal is limited to owners/admins (no more moderator overrides).
+- Security: added OWASP ZAP baseline helper (`scripts/zap-baseline.sh`) and documentation (`docs/security.html`) for quick unauthenticated scans against test/staging/prod.
 - Backend/data: Added Prisma models (User/Listing/ListingTranslation/ListingImage), seed script creates sample listing; DB on Hetzner VM `46.62.203.202`, staging secrets set in `lomavuokraus-web-secrets`.
 - Auth: Register/login/verify flows; session cookie (`session_token`), NavBar shows email+role badge. Roles: USER, ADMIN, USER_MODERATOR (approve users), LISTING_MODERATOR (approve listings). Admin can change roles at `/admin/users`.
 - Listing flow: create listing (session required), pending/published with admin/moderator approvals; pages for “My listings,” “New listing,” “Profile.” Quick actions tile removed; all actions in navbar.
diff --git a/docs/index.html b/docs/index.html
index 39a36fb..509e49b 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -18,6 +18,7 @@
           <li><a href="./build.html">Build &amp; Deploy</a></li>
           <li><a href="./architecture.html">Logical Architecture</a></li>
           <li><a href="./sequences.html">Feature Sequences</a></li>
+          <li><a href="./security.html">Security Testing</a></li>
         </ul>
       </section>
       <section class="card">
diff --git a/docs/security.html b/docs/security.html
new file mode 100644
index 0000000..bd1e572
--- /dev/null
+++ b/docs/security.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <title>Security Testing</title>
+    <link rel="stylesheet" href="./style.css" />
+  </head>
+  <body>
+    <header>
+      <h1>Security Testing</h1>
+      <div class="meta">Quick OWASP ZAP baseline checks against any deployed environment.</div>
+    </header>
+    <main class="grid">
+      <section class="card">
+        <h2>Baseline scan</h2>
+        <ul>
+          <li>Script: <code>scripts/zap-baseline.sh</code></li>
+          <li>Default target: <code>https://test.lomavuokraus.fi</code> (override with <code>TARGET</code>).</li>
+          <li>Reports: <code>reports/security/zap-report.html</code> (also JSON/XML).</li>
+          <li>Example: <code>TARGET=https://staging.lomavuokraus.fi ./scripts/zap-baseline.sh</code></li>
+          <li>Duration: ~5 minutes by default (<code>TIMEOUT_MINUTES</code> env).</li>
+          <li>Docker image: <code>owasp/zap2docker-stable</code> (override with <code>ZAP_IMAGE</code>).</li>
+        </ul>
+      </section>
+      <section class="card">
+        <h2>Auth considerations</h2>
+        <ul>
+          <li>The baseline scan is unauthenticated; it covers public pages and APIs.</li>
+          <li>For authenticated testing, generate a session cookie manually and pass via <code>-z</code> extras in the script or run an active scan with a ZAP context file.</li>
+          <li>Keep admin creds out of the script; prefer test accounts and the testing environment.</li>
+        </ul>
+      </section>
+      <section class="card">
+        <h2>Next steps</h2>
+        <ul>
+          <li>Add ZAP active scans with context + logged-in session for deeper coverage.</li>
+          <li>Consider scheduling scans against test env before releases.</li>
+          <li>Track findings in issues; rerun after auth/role changes.</li>
+        </ul>
+      </section>
+    </main>
+  </body>
+</html>
diff --git a/scripts/zap-baseline.sh b/scripts/zap-baseline.sh
new file mode 100755
index 0000000..e9391c9
--- /dev/null
+++ b/scripts/zap-baseline.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Lightweight OWASP ZAP baseline scan.
+# Usage: TARGET=https://test.lomavuokraus.fi ./scripts/zap-baseline.sh
+
+TARGET="${TARGET:-https://test.lomavuokraus.fi}"
+ZAP_IMAGE="${ZAP_IMAGE:-owasp/zap2docker-stable}"
+REPORT_DIR="${REPORT_DIR:-reports/security}"
+TIMEOUT_MINUTES="${TIMEOUT_MINUTES:-5}"
+
+mkdir -p "$REPORT_DIR"
+
+echo "Running ZAP baseline against $TARGET (timeout ${TIMEOUT_MINUTES}m)..."
+docker run --rm \
+  -u "$(id -u)":"$(id -g)" \
+  -v "$PWD/$REPORT_DIR":/zap/wrk \
+  "$ZAP_IMAGE" zap-baseline.py \
+  -t "$TARGET" \
+  -x zap-report.xml \
+  -r zap-report.html \
+  -J zap-report.json \
+  -I \
+  -m "$TIMEOUT_MINUTES"
+
+echo "Reports written to $REPORT_DIR (zap-report.html, zap-report.xml, zap-report.json)"