We should be able to limit from where we accept incoming http posts so we don't have to rely on obscurity for endpoint url.