David Mehren

I think for this feature to make sense, it must be present in the first HD 2 release.

If I understand it correctly, we can still use the [express plugin](https://github.com/expressjs/csurf) with NestJS. This would work like this: - The backend sends a CSRF-Token in a cookie, lets call...

Rate-limiting would be greatly simplified if all requests must have a token, as we then can just use that token to identify the user and apply rate-limits per token. If...

> keep the concept of having just one application to start That is still the goal. The caddy-solution would be a dev-only stop-gap, until we have the final integration figured...

https://github.com/hedgedoc/hedgedoc/pull/1266 spelled out that anonymous notes will not have an owner, so deletion is not possible. We use the session cookie only to track edits by the same user.

Would support for the ubiquitous `HTTP_PROXY` and `HTTPS_PROXY` environment variables be sufficient? Having proxy configs for each upload backend complicates the config quite a bit.

Supporting individual proxies is out of scope for 2.0, so I added it to the "After 2.0" milestone for now. I'm still not convinced if we should support such a...

I created #1051 to track a setting for a common proxy.

> Currently at least notes are identified by UUIDs and will be identified by UUIDs in the future We try to not leak IDs from the database into the API....

The first post has been updated with a new proposal called "notebook mode".