This is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is.
Post
Bradley Kemp
bradleyjkemp.dev
did:plc:mhyx6rd6e4lkwauctubnowih
Provided the favicon service is running on the same domain, you can probably use the Sec-Fetch-Site header
Allowing anything except a "cross-site" value is equivalent to your current referrer check (but would work even if referrers aren't sent)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site
2025-10-28T14:03:38.023Z