@Melanie Wehowski cookie could be faked but so can headers, and the way I have it now the cookie is only good for the session, bots and scrapers start a new session every time they probe a domain so no need to store, each time they troll its a new session, putting inbox in the check I guess could be useful to gate it, but when I sat down to do this and dug through all my access logs I did not have even one call for the inbox to be worried about it, now if I get bots or scrapers that start calling for my inbox I will gate it, but my understanding of how friendica and activitypub are setup the inbox should not be callable by bots and scrapers, I maybe wrong on that, I have had this instance up an running a year, and it has be en a lot of learning and trial and error so many errors, but so far this gate has really made my access logs go empty, which for me is good, im still fully federated but the datahogs have slowed or stopped trolling me