diff --git a/src/policies/rate-limit-policy.ts b/src/policies/rate-limit-policy.ts
old mode 100755
new mode 100644
index 2eeadcb..212be90
--- a/src/policies/rate-limit-policy.ts
+++ b/src/policies/rate-limit-policy.ts
@@ -12,6 +12,10 @@ interface RateLimit {
   whitelist?: string[];
   /** Database connection string. Default: `sqlite:///tmp/strfry-rate-limit-policy.sqlite3` */
   databaseUrl?: string;
+  /** Enable debug mode to log rejected IPs. Default: `false`. */
+  debugMode?: boolean;
+  /** Path to the debug log file. Default: `./rate-limit-debug.log` */
+  debugLogPath?: string;
 }
 
 /**
@@ -33,6 +37,8 @@ const rateLimitPolicy: Policy<RateLimit> = async (msg, opts = {}) => {
       "51.81.244.81", // nostr.wine broadcast
     ],
     databaseUrl = 'sqlite:///tmp/strfry-rate-limit-policy.sqlite3',
+    debugMode = false,
+    debugLogPath = './rate-limit-debug.log',
   } = opts;
 
   if ((msg.sourceType === 'IP4' || msg.sourceType === 'IP6') && !whitelist.includes(msg.sourceInfo)) {
@@ -41,6 +47,12 @@ const rateLimitPolicy: Policy<RateLimit> = async (msg, opts = {}) => {
     await db.set(msg.sourceInfo, count + 1, interval);
 
     if (count >= max) {
+      if (debugMode) {
+        const timestamp = new Date().toISOString();
+        const logMessage = `${timestamp}: IP ${msg.sourceInfo} rejected, ${count} attempts\n`;
+        await Deno.writeTextFile(debugLogPath, logMessage, { append: true });
+        //Deno.writeTextFileSync(debugLogPath, logMessage, { append: true });
+      }
       return {
         id: msg.event.id,
         action: 'reject',
@@ -57,5 +69,4 @@ const rateLimitPolicy: Policy<RateLimit> = async (msg, opts = {}) => {
 };
 
 export default rateLimitPolicy;
-
-export type { RateLimit };
+export type { RateLimit };
\ No newline at end of file