diff --git a/CLAUDE.md b/CLAUDE.md
index e2b451b..8f23e02 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -74,6 +74,29 @@ Critical variables in `.env`:
 4. Use `chain-authelia@file` middleware for authentication
 5. Create NFS volume in volumes section if config persistence needed
 6. Reference existing services (e.g., sonarr, radarr) as templates
+7. Add the new service subdomain to `scripts/validate-traefik.sh` SERVICES array
+8. Run the validation script (see Validation section below)
+
+## Validation
+
+**IMPORTANT: Always run the validation script after modifying `docker-compose.yml`.**
+
+```bash
+# Run validation (reads domain from .env)
+./scripts/validate-traefik.sh
+
+# Or specify domain explicitly
+./scripts/validate-traefik.sh yourdomain.com
+```
+
+The script validates:
+- All services are accessible via HTTPS
+- HTTP to HTTPS redirect is working
+- Security headers are present
+- TLS certificate is valid
+- Traefik dashboard and API are responding
+
+When adding a new service, add its subdomain to the `SERVICES` array in `scripts/validate-traefik.sh`.
 
 ## Log Management
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 3adb773..c79cf57 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -101,6 +101,11 @@ volumes:
       type: nfs
       o: addr=192.168.0.6,rw,nfsvers=4.1,async
       device: :/volume1/docker/smokeping
+  librespeed_config:
+    driver_opts:
+      type: nfs
+      o: addr=192.168.0.6,rw,nfsvers=4.1,async
+      device: :/volume1/docker/librespeed
   video:
     driver_opts:
       type: nfs
@@ -778,3 +783,32 @@ services:
       ## HTTP Services
       - "traefik.http.routers.smokeping-rtr.service=smokeping-svc"
       - "traefik.http.services.smokeping-svc.loadbalancer.server.port=80"
+
+  # LibreSpeed - Self-hosted HTML5 Speed Test
+  librespeed:
+    container_name: librespeed
+    image: linuxserver/librespeed:latest
+    restart: unless-stopped
+    networks:
+      - t2_proxy
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      - librespeed_config:/config
+    environment:
+      - PUID=$PUID
+      - PGID=$PGID
+      - TZ=$TZ
+      - PASSWORD=$LIBRESPEED_PASSWORD
+    logging: *default-logging
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.librespeed-rtr.entrypoints=https"
+      - "traefik.http.routers.librespeed-rtr.rule=Host(`speedtest.$DOMAINNAME`)"
+      - "traefik.http.routers.librespeed-rtr.tls=true"
+      ## Middlewares
+      - "traefik.http.routers.librespeed-rtr.middlewares=chain-authelia@file"
+      ## HTTP Services
+      - "traefik.http.routers.librespeed-rtr.service=librespeed-svc"
+      - "traefik.http.services.librespeed-svc.loadbalancer.server.port=80"
diff --git a/scripts/validate-traefik.sh b/scripts/validate-traefik.sh
index 9df57df..9f96095 100755
--- a/scripts/validate-traefik.sh
+++ b/scripts/validate-traefik.sh
@@ -75,6 +75,7 @@ SERVICES=(
     "homeassistant"
     "pihole:/admin/"     # Pi-hole blocks root, test admin path
     "smokeping"
+    "speedtest"          # LibreSpeed
     "homebridge"
     "home"               # DSM (Synology)
 )