True. This may be a problem. Like mentioned, common bots are being blocked currently, plus, I will be testing POST instead of GET requests (Since bots apparently don't do POST). An another obvious solution is to include some kind of user interaction before the secret is fetched. Although I don't like that solution so much. C.
Like I said, I've used a similar service that only allows you to view the secret once and I've used it dozens of times with no problems.
How do you go about doing that? disregard security service clicks based on IP address blacklists, user agent sniffing, etc?
