diff --git a/node/rustchain_bft_consensus.py b/node/rustchain_bft_consensus.py
index 41a9e975..87c0ccb2 100644
--- a/node/rustchain_bft_consensus.py
+++ b/node/rustchain_bft_consensus.py
@@ -392,6 +392,17 @@ def _handle_pre_prepare(self, msg: ConsensusMessage) -> Optional[ConsensusMessag
                 logging.warning(f"PRE-PREPARE not from leader: {msg.node_id}")
                 return None
 
+            # Verify HMAC signature (matches pattern in handle_prepare/handle_commit)
+            sign_data = f"{MessageType.PRE_PREPARE.value}:{msg.view}:{epoch}:{msg.digest}:{msg.timestamp}"
+            if not self._verify_signature(msg.node_id, sign_data, msg.signature):
+                logging.warning(f"Invalid PRE-PREPARE signature from {msg.node_id}")
+                return None
+
+            # Check timestamp freshness
+            if abs(time.time() - msg.timestamp) > CONSENSUS_MESSAGE_TTL:
+                logging.warning(f"Stale PRE-PREPARE from {msg.node_id} (age={int(time.time()) - msg.timestamp}s)")
+                return None
+
             # Validate proposal (hardware attestation checks)
             if not self._validate_proposal(msg.proposal):
                 logging.warning(f"Invalid proposal for epoch {epoch}")