Update API.md

2017-08-02 16:29:21 -06:00 · 2017-08-02 16:29:21 -06:00 · ae1f47df38
parent 2cace0b3ad
commit ae1f47df38
1 changed files with 8 additions and 2 deletions
--- a/API.md
+++ b/API.md
@ -62,11 +62,17 @@ Walnut will reject requests to all domains and subdomains except those that begi
  * secured by disallowing cookies
  * secured by disallowing non-JSON form types
  * secured by requiring authentication in header
-* `assets` is for large files and other blobs and must use JWT in Cookies for authentication
+* `assets` is for protected access to large files and other blobs and must use JWT in Cookies for authentication
  * warning: allows implicit authorization via cookies for hotlinking and the like
  * secured by not exposing tokens when users copy-paste
 * `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model
  * warning: these are insecure and should be used with caution, prudence, and wisdom
  * JWT via query parameter
  * urlencoded forms
-  * XML forms
+  * XML forms
+
+Bare and www domains are DISALLOWED from being served by Walnut.
+
+This enables scalability of static sites as the static assets
+are never on the same domain as generic APIs or authenticated assets.
+It also enforces security by disallowing 1990s web vulnerabilities by default.