@Codeberg as an emergency measure I'd prbly block non-authenticated http (except signup + login) altogether.