Add validating to protect against Server-side request forgery

[antoni-devlin]

Interesting yeah I just looked through that too.
I agree with you @antoni-devlin but let's also think about how you'd mitigate this?

You don't have to come up with a solution, but might be good to make a TODO.md or a card that outlines what you think you could do about this problem?

I wonder for instance if we could do anything to validate that input 🤔

Originally posted by @huwd in #47 (comment)