One thought on the security: Do you fake a real client?
- Use a curl/wget User-Agent
- Use changing (unpredictable) dial-up IPs and no data center / proxy / tor IPs.
Otherwise I could serve the site a harmless script and send the users an evil script.
An even better option could be to check the script and then offer a button to download the checked script. This would mitigate the problem and even in the case of an attacker who serves different scripts, the user gets the harmless one.
chaos.social – a Fediverse instance for & by the Chaos community