diff --git a/api.py b/api.py
index cef6c593..90cf774c 100755
--- a/api.py
+++ b/api.py
@@ -13,8 +13,8 @@
     You should have received a copy of the GNU General Public License
     along with this program.  If not, see <https://www.gnu.org/licenses/>.
 '''
-from flask import Flask, request
-app = Flask(__name__)
+import flask
+from flask import request, Response
 import configparser, sys, random
 '''
 Main API
@@ -23,6 +23,8 @@ class API:
     
     def __init__(self, config, debug):
         self.config = config
+        self.debug = debug
+        app = flask.Flask(__name__)
         bindPort = int(self.config['CLIENT']['PORT'])
         clientToken = self.config['CLIENT']['CLIENT HMAC']
 
@@ -32,10 +34,26 @@ class API:
         else:
             self.host = '127.0.0.1' 
 
+        @app.after_request
+        def afterReq(resp):
+            resp.headers['Access-Control-Allow-Origin'] = '*'
+            resp.headers['server'] = 'Onionr'
+            resp.headers['content-type'] = 'text/plain'
+            resp.headers["Content-Security-Policy"] = "default-src 'none'"
+            resp.headers['x-frame-options'] = 'deny'
+            return resp
+            
         @app.route('/client/hello')
         def hello_world():
             self.validateHost()
-            return 'Hello, World!' + request.host
+            resp = Response('Hello, World!' + request.host)
+            return resp
+
+        @app.errorhandler(404)
+        def notfound(err):
+            resp = Response("\_(0_0)_/ I got nothin")
+            resp.headers = getHeaders(resp)
+            return resp
 
         print('Starting client on ' + self.host + ':' + str(bindPort))
         print('Client token:', clientToken)
@@ -43,6 +61,8 @@ class API:
         app.run(host=self.host, port=bindPort, debug=True)
     
     def validateHost(self):
+        if self.debug:
+            return
         # Validate host header, to protect against DNS rebinding attacks
         if request.host != '127.0.0.1:' + str(self.config['CLIENT']['PORT']):
             sys.exit(1)
@@ -50,4 +70,4 @@ class API:
         try:
             request.headers['x-requested-with']
         except:
-            sys.exit(1)
\ No newline at end of file
+            sys.exit(1)
diff --git a/onionr.py b/onionr.py
index a9f43fa4..d8fb6dcd 100755
--- a/onionr.py
+++ b/onionr.py
@@ -19,13 +19,17 @@ import gui, api
 class Onionr:
     def __init__(self):
 
+        # Get configuration and Handle commands
+
         self.debug = True # Whole application debugging
 
         os.chdir(sys.path[0])
+        # Get configuration
         self.config = configparser.ConfigParser()
         if os.path.exists('data/config.ini'):
             self.config.read('data/config.ini')
         else:
+            # Generate default config
             # Hostname should only be set if different from 127.x.x.x. Important for DNS rebinding attack prevention.
             if debug:
                 randomPort = 8080