From ae1f47df38569af729e2e4d68efad4275f1feb6f Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@daplie.com>
Date: Wed, 2 Aug 2017 16:29:21 -0600
Subject: [PATCH] Update API.md

---
 API.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/API.md b/API.md
index 35295d2..1957597 100644
--- a/API.md
+++ b/API.md
@@ -62,11 +62,17 @@ Walnut will reject requests to all domains and subdomains except those that begi
   * secured by disallowing cookies
   * secured by disallowing non-JSON form types
   * secured by requiring authentication in header
-* `assets` is for large files and other blobs and must use JWT in Cookies for authentication
+* `assets` is for protected access to large files and other blobs and must use JWT in Cookies for authentication
   * warning: allows implicit authorization via cookies for hotlinking and the like
   * secured by not exposing tokens when users copy-paste
 * `webhooks` is for 3rd-party API hooks and APIs with special requirements outside of the normal security model
   * warning: these are insecure and should be used with caution, prudence, and wisdom
   * JWT via query parameter
   * urlencoded forms
-  * XML forms
\ No newline at end of file
+  * XML forms
+
+Bare and www domains are DISALLOWED from being served by Walnut.
+
+This enables scalability of static sites as the static assets
+are never on the same domain as generic APIs or authenticated assets.
+It also enforces security by disallowing 1990s web vulnerabilities by default.
\ No newline at end of file