I added a simple CORS check that makes sure the request is coming from the same domain as the request itself is saying it's coming from. Also added rate-limiting.