Hey sorry for the delay, dealing with a lot right now, but I didn’t forget about it.

1 - Fixed this, the api key is now only forwarded if the destination hostname matches the plugin’s stored url. 2 - As I was saying, the allowlist is opt-in by design (null = allow all), and plugins legitimately need to make arbitrary outbound requests. Enforcing it globally would break the plugin system. 3 - Fixed this, it was quite simple 4 - I have added an env var (DEGOOG_DISTRUST_PROXY), if set to true it’ll make it so all users share the same rate limit regardless of their IPs, I left it as an opt in as most users currently running it are only keeping it private behind their own in house reverse proxies. This will be handy for a public instance for example 5 - Extension settings modal now correctly sends x-settings-token on save. 6 - As I said, auth is intentionally lax until a more structured auth system is added, may need to be a few weeks after stable is live, after all there’s no real auth and the setting password protected and private view should be secure enough as it is

btw all this is not live yet, it’ll be sent live with the next release ♥