Let me start by describing how this worked prior to securing my server:
A user has a device (like a raspberry pi) that is running an http server. The user connects to
