diff --git a/onionr/api.py b/onionr/api.py
index 6499b4d3..afe63d82 100755
--- a/onionr/api.py
+++ b/onionr/api.py
@@ -25,9 +25,11 @@ import core
 from onionrblockapi import Block
 import onionrutils, onionrexceptions, onionrcrypto, blockimporter, onionrevents as events, logger, config, onionr
 
+API_VERSION = 0
+
 def guessMime(path):
     '''
-        Guesses the mime type from the input filename
+        Guesses the mime type of a file from the input filename
     '''
     mimetypes = {
         'html' : 'text/html',
@@ -113,10 +115,45 @@ class API:
         logger.info('Running api on %s:%s' % (self.host, self.bindPort))
         self.httpServer = ''
 
+        @app.before_request
+        def validateRequest():
+            '''Validate request has set password and is the correct hostname'''
+            if request.host != '%s:%s' % (self.host, self.bindPort):
+                abort(403)
+            try:
+                if not hmac.compare_digest(request.headers['token'], self.clientToken):
+                    abort(403)
+            except KeyError:
+                abort(403)
+        
+        @app.after_request
+        def afterReq(resp):
+            resp.headers["Content-Security-Policy"] =  "default-src 'none'; script-src 'none'; object-src 'none'; style-src data: 'unsafe-inline'; img-src data:; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'"
+            resp.headers['X-Frame-Options'] = 'deny'
+            resp.headers['X-Content-Type-Options'] = "nosniff"
+            resp.headers['X-API'] = API_VERSION
+            resp.headers['Server'] = 'nginx'
+            resp.headers['Date'] = 'Thu, 1 Jan 1970 00:00:00 GMT' # Clock info is probably useful to attackers. Set to unix epoch.
+            return resp
+
+        @app.route('/ping')
+        def ping():
+            return Respose("pong!")
+
         @app.route('/')
         def hello():
             return Response("hello client")
         
+        @app.route('/waitforshare/<name>', methods='post')
+        def waitforshare():
+            assert name.isalnum()
+            if name in self.publicAPI.hideBlocks:
+                self.publicAPI.hideBlocks.remove(name)
+                return Response("removed")
+            else:
+                self.publicAPI.hideBlocks.append(name)
+                return Response("added")
+
         @app.route('/shutdown')
         def shutdown():
             try:
diff --git a/onionr/onionrutils.py b/onionr/onionrutils.py
index 6c8ba3e4..75fcb7c2 100644
--- a/onionr/onionrutils.py
+++ b/onionr/onionrutils.py
@@ -167,12 +167,11 @@ class OnionrUtils:
         if data != '':
             data = '&data=' + urllib.parse.quote_plus(data)
         payload = 'http://%s:%s/%s%s' % (hostname, config.get('client.client.port'), command, data)
-        logger.info(payload)
         #payload = 'http://%s:%s/client/?action=%s&token=%s&timingToken=%s' % (hostname, config.get('client.client.port'), command, config.get('client.webpassword'), self.timingToken)
         #if data != '':
         #    payload += '&data=' + urllib.parse.quote_plus(data)
         try:
-            retData = requests.get(payload).text
+            retData = requests.get(payload, headers={'token': config.get('client.webpassword')}).text
         except Exception as error:
             if not silent:
                 logger.error('Failed to make local request (command: %s):%s' % (command, error))