- CSP that allows cdn.jsdelivr.net/unpkg.com (which serve anything on npm, which anyone can publish to) indiscriminately is security theatre (and I’m sure some cdnjs script in an Angular-style library executes arbitrary code in otherwise-benign HTML attributes too)

- rate limiting using a key derived from the freely attacker-settable User-Agent header

- (and storing it in Netlify Blobs, “a highly-available data store optimized for frequent reads and infrequent writes“?)

- “The remaining item — constant-time comparison — is a calculated risk I have accepted for now.” What was the calculation? If Netlify Functions supports Node.js APIs as a quick search suggests, this is just `crypto.timingSafeEqual`.