diff --git a/data/hostname/webapp.internal.staging.swh.network.yaml b/data/hostname/webapp.internal.staging.swh.network.yaml
index f79cdde9..d62ac6a7 100644
--- a/data/hostname/webapp.internal.staging.swh.network.yaml
+++ b/data/hostname/webapp.internal.staging.swh.network.yaml
@@ -1,58 +1,84 @@
 networks:
   default:
     interface: eth0
     address: 192.168.128.8
     netmask: 255.255.255.0
     gateway: 192.168.128.1
 
 hitch::frontend: "[*]:443"
 hitch::proxy_support: true
 
 varnish::http_port: 80
 apache::http_port: 9080
 
 # Disable default vhost on port 80
 apache::default_vhost: false
 
 swh::deploy::webapp::vhost::name: webapp.internal.staging.swh.network
 swh::deploy::webapp::vhost::aliases:
   - webapp.staging.swh.network
   - webapp.staging.softwareheritage.org
 
 swh::deploy::webapp::config::allowed_hosts:
   - webapp.internal.staging.swh.network
   - webapp.staging.swh.network
   - webapp.staging.softwareheritage.org
 
 swh::deploy::webapp::backend::workers: 16
 swh::deploy::webapp::backend::http_keepalive: 5
 swh::deploy::webapp::backend::http_timeout: 3600
 swh::deploy::webapp::backend::reload_mercy: 3600
 
 # in private data:
 # deposit_basic_auth_swhworker_username
 # deposit_basic_auth_swhworker_password
 swh::deploy::webapp::config:
   storage: "%{alias('swh::remote_service::storage::config')}"
   vault: "%{alias('swh::remote_service::vault::config::writable')}"
   indexer_storage: "%{alias('swh::remote_service::indexer::config')}"
   scheduler: "%{alias('swh::remote_service::scheduler::config::writable')}"
   log_dir: "%{hiera('swh::deploy::webapp::conf::log_dir')}"
   secret_key: "%{hiera('swh::deploy::webapp::conf::secret_key')}"
   content_display_max_size: 1048576
   throttling:
     cache_uri: "%{hiera('memcached::server::bind')}:%{hiera('memcached::server::port')}"
     scopes:
       swh_api:
         limiter_rate:
           default: 120/h
         exempted_networks:
           - 127.0.0.0/8
           - 192.168.100.0/23
           - 129.168.128.0/24
+      swh_api_origin_visit_latest:
+        # This endpoint gets called a lot (by default, up to 70 times
+        # per origin search), so it deserves a much higher rate-limit
+        # than the rest of the API.
+        limiter_rate:
+          default: 700/m
+        exempted_networks:
+          - 127.0.0.0/8
+          - 192.168.100.0/23
+          - 192.168.128.0/24
+      swh_vault_cooking:
+        limiter_rate:
+          default: 120/h
+          GET: 60/m
+        exempted_networks:
+          - 127.0.0.0/8
+          - 192.168.100.0/23
+          - 192.168.128.0/24
+      swh_save_origin:
+        limiter_rate:
+          default: 120/h
+          POST: 10/h
+        exempted_networks:
+          - 127.0.0.0/8
+          - 192.168.100.0/23
+          - 129.168.128.0/24
   allowed_hosts: "%{alias('swh::deploy::webapp::config::allowed_hosts')}"
   production_db: "%{hiera('swh::deploy::webapp::production_db')}"
   deposit:
     private_api_url: https://deposit.internal.swh.staging/1/private/
     private_api_user: "%{hiera('deposit_basic_auth_swhworker_username')}"
     private_api_password: "%{hiera('deposit_basic_auth_swhworker_password')}"
diff --git a/data/location/sesi_rocquencourt_staging.yaml b/data/location/sesi_rocquencourt_staging.yaml
index 88135bc7..e437fe6e 100644
--- a/data/location/sesi_rocquencourt_staging.yaml
+++ b/data/location/sesi_rocquencourt_staging.yaml
@@ -1,98 +1,98 @@
 ---
 dns::local_cache: false
 dns::nameservers:
   - 192.168.100.29
 dns::search_domains:
   - internal.staging.swh.network
 
 dns::forward_zones:
   'internal.softwareheritage.org.':
     - 192.168.100.29
   '100.168.192.in-addr.arpa.':
     - 192.168.100.29
   '101.168.192.in-addr.arpa.':
     - 192.168.100.29
   'internal.staging.swh.network':
     - 192.168.100.29
   '128.168.192.in-addr.arpa.':
     - 192.168.100.29
 
 dns::forwarders:
   - 193.51.196.130
   - 193.51.196.131
 dns::forwarder_insecure: true
 
 ntp::servers:
   - sesi-ntp1.inria.fr
   - sesi-ntp2.inria.fr
 
 internal_network: 192.168.128.0/24
 
 smtp::relayhost: '[smtp.inria.fr]'
 
 swh::deploy::storage::db::host: db0.internal.staging.swh.network
 swh::deploy::storage::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}"
 swh::deploy::storage::db::user: swh
 swh::deploy::storage::db::dbname: swh
 
 swh::deploy::indexer::storage::db::host: db0.internal.staging.swh.network
 swh::deploy::indexer::storage::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}"
 swh::deploy::indexer::storage::db::user: swh-indexer
 swh::deploy::indexer::storage::db::dbname: swh-indexer
 
 swh::deploy::scheduler::db::host: db0.internal.staging.swh.network
 swh::deploy::scheduler::db::port: "%{alias('swh::deploy::db::pgbouncer::port')}"
 swh::deploy::scheduler::db::dbname: swh-scheduler
 swh::deploy::scheduler::db::user: swh-scheduler
 
 swh::deploy::worker::instances:
   - loader_git
 
 #### Rabbitmq instance to use
 # swh::deploy::worker::task_broker::password in private data
 swh::deploy::worker::task_broker: "amqp://swhconsumer:%{hiera('swh::deploy::worker::task_broker::password')}@scheduler0.internal.staging.swh.network:5672//"
 
 #### Storage/Indexer/Vault/Scheduler services to use in staging area
 
 swh::remote_service::storage::config::storage0:
   cls: remote
   args:
     url: "http://storage0.internal.staging.swh.network:%{hiera('swh::remote_service::storage::port')}/"
 swh::remote_service::storage::config: "%{alias('swh::remote_service::storage::config::storage0')}"
 swh::remote_service::storage::config::writable: "%{alias('swh::remote_service::storage::config::storage0')}"
 
 swh::remote_service::vault::config::vault0:
   cls: remote
   args:
     url: "http://vault0.internal.staging.swh.network:%{hiera('swh::remote_service::vault::port')}/"
-swh::remote_service::vault::config: "%{alias('swh::remote_service::vault::config::azure')}"
-swh::remote_service::vault::config::writable: "%{alias('swh::remote_service::vault::config::azure')}"
+swh::remote_service::vault::config: "%{alias('swh::remote_service::vault::config::vault0')}"
+swh::remote_service::vault::config::writable: "%{alias('swh::remote_service::vault::config::vault0')}"
 
 swh::remote_service::indexer::config::storage0:
   cls: remote
   args:
     url: "http://storage0.internal.staging.swh.network:%{hiera('swh::remote_service::indexer::port')}/"
 swh::remote_service::indexer::config: "%{alias('swh::remote_service::indexer::config::storage0')}"
 swh::remote_service::indexer::config::writable: "%{alias('swh::remote_service::indexer::config::storage0')}"
 
 swh::remote_service::scheduler::config::scheduler0:
   cls: remote
   args:
     url: "http://scheduler0.internal.staging.swh.network:%{hiera('swh::remote_service::scheduler::port')}/"
 
 swh::remote_service::scheduler::config: "%{alias('swh::remote_service::scheduler::config::scheduler0')}"
 swh::remote_service::scheduler::config::writable: "%{alias('swh::remote_service::scheduler::config::scheduler0')}"
 
 swh::deploy::worker::loader_git::config:
   storage: "%{alias('swh::remote_service::storage::config::writable')}"
   save_data: false
   directory_packet_size: 100
   celery:
     task_broker: "%{alias('swh::deploy::worker::task_broker')}"
     task_modules:
       - swh.loader.git.tasks
     task_queues:
       - swh.loader.git.tasks.UpdateGitRepository
       - swh.loader.git.tasks.LoadDiskGitRepository
       - swh.loader.git.tasks.UncompressAndLoadDiskGitRepository