@ pasjrwoctx👽 Sorry, I mean the /inbox route from the check $is_fe

@pasjrwoctx👽 Sorry, I mean the /inbox route from the check

$is_fediverse =
str_contains($request, '/.well-known/') ||
str_contains($request, '/activitypub/') ||
str_contains($request, '/api/') ||
str_contains($request, '/assets/') ||
str_contains($request, '/inbox');

You could also check for Request-Type (Accept) headers.

A cookie can be faked, you should consider to store the OK in the session instead?