* The goal is to hide every static resource that can be scanned/fingerprinted by an unauthenticated client.
* All pages, scripts, CSS, images, Javascript resources require authentication. Give standard looking 404 when unauth.
* Generate a unique 128-bit (hex digit) prefix for each proxy and store in database. This prefix must be known/provided to access gateways into authentication.
* When generating links (invites, guest browsing), this prefix is used in place of 001
* Auth page gateway: Apache configured to check path for prefix.
* Other exclusions: create_account (invite/capcha), guest browsing. Modify invite to *require* valid invite code param or 404; ensure guest browsing 404 on invalid token; capcha mode -- require proxy prefix as input param or else 404?
* The goal is to hide every static resource that can be scanned/ fingerprinted by an unauthenticated client.
* All pages, scripts, CSS, images, Javascript resources require authentication. Give standard looking 404 when unauth.
* Generate a unique 128-bit (hex digit) prefix for each proxy and store in database. This prefix must be known/provided to access gateways into authentication.
* When generating links (invites, guest browsing), this prefix is used in place of 001
* Auth page gateway: Apache configured to check path for prefix.
* Other exclusions: create_account (invite/capcha), guest browsing. Modify invite to *require* valid invite code param or 404; ensure guest browsing 404 on invalid token; capcha mode -- require proxy prefix as input param or else 404?