diff --git a/lib/vhost-server.js b/lib/vhost-server.js
index 8f04179..cf26ae6 100644
--- a/lib/vhost-server.js
+++ b/lib/vhost-server.js
@@ -6,7 +6,6 @@ module.exports.create = function (securePort, vhostsdir) {
   var fs = require('fs');
   var path = require('path');
   var dummyCerts;
-  var serveFavicon;
   var loopbackToken = require('crypto').randomBytes(32).toString('hex');
 
   function handleAppScopedError(tag, domaininfo, req, res, fn) {
@@ -115,47 +114,39 @@ module.exports.create = function (securePort, vhostsdir) {
                 localApp = getDummyAppContext(null, "[ERROR] no connect-style export from " + domaininfo.dirname);
               }
 
+              function fourohfour(req, res) {
+                res.writeHead(404);
+                res.end(
+                    "<html>"
+                  + "<head>"
+                  + '<link rel="icon" href="favicon.ico" />'
+                  + "</head>"
+                  + "<body>"
+                  + "Cannot "
+                  + encodeURI(req.method)
+                  + " 'https://"
+                  + encodeURI(domaininfo.hostname)
+                  + '/'
+                  + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
+                  + encodeURI(req.url.replace(/^\//, ''))
+                  + "'"
+                  + "<br/>"
+                  + "<br/>"
+                  + "Domain: " + encodeURI(domaininfo.hostname)
+                  + "<br/>"
+                  + "App: " + encodeURI(domaininfo.pathname)
+                  + "<br/>"
+                  + "Route : " + encodeURI(req.url)
+                  + "</body>"
+                  + "</html>"
+                );
+              }
+
               // Note: pathname should NEVER have a leading '/' on its own
               // we always add it explicitly
               function localAppWrapped(req, res) {
                 console.log('[debug]', domaininfo.hostname + '/' + domaininfo.pathname, req.url);
-                localApp(req, res, handleAppScopedError('localApp', domaininfo, req, res, function (req, res) {
-                  if (!serveFavicon) {
-                    serveFavicon = require('serve-favicon')(path.join(__dirname, '..', 'public', 'favicon.ico'));
-                  }
-
-                  // TODO redirect GET /favicon.ico to GET (req.headers.referer||'') + /favicon.ico
-                  // TODO other common root things - robots.txt, app-icon, etc
-                  serveFavicon(req, res, handleAppScopedError('serveFavicon', domaininfo, req, res, function (req, res) {
-                    connectContext.static(req, res, handleAppScopedError('connect.static', domaininfo, req, res, function (req, res) {
-                      res.writeHead(404);
-                      res.end(
-                          "<html>"
-                        + "<head>"
-                        + '<link rel="icon" href="favicon.ico" />'
-                        + "</head>"
-                        + "<body>"
-                        + "Cannot "
-                        + encodeURI(req.method)
-                        + " 'https://"
-                        + encodeURI(domaininfo.hostname)
-                        + '/'
-                        + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
-                        + encodeURI(req.url.replace(/^\//, ''))
-                        + "'"
-                        + "<br/>"
-                        + "<br/>"
-                        + "Domain: " + encodeURI(domaininfo.hostname)
-                        + "<br/>"
-                        + "App: " + encodeURI(domaininfo.pathname)
-                        + "<br/>"
-                        + "Route : " + encodeURI(req.url)
-                        + "</body>"
-                        + "</html>"
-                      );
-                    }));
-                  }));
-                }));
+                localApp(req, res, handleAppScopedError('localApp', domaininfo, req, res, fourohfour));
               }
               try {
                 var localConnect = connect();
@@ -324,37 +315,13 @@ module.exports.create = function (securePort, vhostsdir) {
           console.log('[log] [once] Loading all mounts for ' + domainApp.hostname);
           domainApp._loaded = true;
           app.use(vhost(domainApp.hostname, domainApp.apps));
-          app.use(vhost('www.' + domainApp.hostname, function (req, res/*, next*/) {
-            if (/\.appcache\b/.test(req.url)) {
-              res.setHeader('Content-Type', 'text/cache-manifest');
-              res.end('CACHE MANIFEST\n\n# v0__DELETE__CACHE__MANIFEST__\n\nNETWORK:\n*');
-              //domainApp.apps(req, res, next);
-              return;
-            }
-            // TODO XXX this is in the api section, so it should hard break
-            //res.statusCode = 301;
-            //res.setHeader('Location', newLoc);
-
-            // TODO port number for non-443
-            var escapeHtml = require('escape-html');
-            var newLocation = 'https://' + domainApp.hostname + req.url;
-            var safeLocation = escapeHtml(newLocation);
-
-            var metaRedirect = ''
-              + '<html>\n'
-              + '<head>\n'
-              + '  <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
-              + '  <META http-equiv="refresh" content="0;URL=' + safeLocation + '">\n'
-              + '</head>\n'
-              + '<body style="display: none;">\n'
-              + '  <p>You requested an old resource. Please use this instead: \n'
-              + '    <a href="' + safeLocation + '">' + safeLocation + '</a></p>\n'
-              + '</body>\n'
-              + '</html>\n'
-              ;
-
-            // 301 redirects will not work for appcache
-            res.end(metaRedirect);
+          app.use(vhost('www.' + domainApp.hostname, function (req, res) {
+            res.send({
+              error: {
+                message: "this is an api. ain't no www belong here"
+              , code: "E_WWW"
+              }
+            });
           }));
         });
       }
diff --git a/worker.js b/worker.js
index 46c5d91..c1dadd3 100644
--- a/worker.js
+++ b/worker.js
@@ -49,6 +49,36 @@ function init(info) {
         });
       });
 
+      function scrubTheDub(req, res/*, next*/) {
+        // hack for bricked app-cache
+        if (/\.appcache\b/.test(req.url)) {
+          res.setHeader('Content-Type', 'text/cache-manifest');
+          res.end('CACHE MANIFEST\n\n# v0__DELETE__CACHE__MANIFEST__\n\nNETWORK:\n*');
+          return;
+        }
+
+        // TODO port number for non-443
+        var escapeHtml = require('escape-html');
+        var newLocation = 'https://' + req.headers.host.replace(/^www\./, '') + req.url;
+        var safeLocation = escapeHtml(newLocation);
+
+        var metaRedirect = ''
+          + '<html>\n'
+          + '<head>\n'
+          + '  <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
+          + '  <META http-equiv="refresh" content="0;URL=' + safeLocation + '">\n'
+          + '</head>\n'
+          + '<body style="display: none;">\n'
+          + '  <p>You requested an old resource. Please use this instead: \n'
+          + '    <a href="' + safeLocation + '">' + safeLocation + '</a></p>\n'
+          + '</body>\n'
+          + '</html>\n'
+          ;
+
+        // 301 redirects will not work for appcache
+        res.end(metaRedirect);
+      }
+
       app.use('/', function (req, res, next) {
         if (/^\/api/.test(req.url)) {
           next();
@@ -66,10 +96,27 @@ function init(info) {
         }
         host = host.toLowerCase();
 
+        if (/^www\./.test(host)) {
+          scrubTheDub(req, res, next);
+          return;
+        }
+
+        function serveIt() {
+          // TODO redirect GET /favicon.ico to GET (req.headers.referer||'') + /favicon.ico
+          // TODO other common root things - robots.txt, app-icon, etc
+          staticHandlers[host].favicon(req, res, function (err) {
+            if (err) {
+              next(err);
+              return;
+            }
+            staticHandlers[host](req, res, next);
+          });
+        }
+
         if (staticHandlers[host]) {
           if (staticHandlers[host].then) {
             staticHandlers[host].then(function () {
-              staticHandlers[host](req, res, next);
+              serveIt();
             }, function (err) {
               res.send({
                 error: {
@@ -81,7 +128,7 @@ function init(info) {
             return;
           }
 
-          staticHandlers[host](req, res, next);
+          serveIt();
           return;
         }
 
@@ -107,21 +154,24 @@ function init(info) {
                 return;
               }
 
-              if (-1 === node.indexOf('.') || invalidHost.test(node)) {
+              // ignore .gitkeep and folders without a .
+              if (0 === node.indexOf('.') || -1 === node.indexOf('.') || invalidHost.test(node)) {
                 return;
               }
 
               console.log('vhost static');
               console.log(node);
               staticHandlers[node] = require('serve-static')(path.join(__dirname, 'sites-enabled', node));
+              try {
+                // TODO look for favicon
+                staticHandlers[node].favicon = require('serve-favicon')(path.join(__dirname, 'sites-enabled', node, 'favicon.ico'));
+              } catch(e) {
+                staticHandlers[node].favicon = function (req, res, next) { next(); };
+              }
             });
 
-            console.log('vhost static final');
-            console.log(host);
-            console.log(staticHandlers[host]);
-
             if (staticHandlers[host]) {
-              staticHandlers[host](req, res, next);
+              serveIt();
             } else {
               next();
             }