@webfan the only reason to exclude the /inbox route is if you are finding a lot of bots and scrapers accessing your inbox before they scrape your profile, in theory friendicas rules and activitypubs rules should already have your inbox blocked from that activity, I created this because even with a very robust .htaccess file I was getting a lot of bots and scrapers accessing "GET" and "Profile" in my access logs, most where defeating my robots.txt and breaking the rules in .htaccess, this at the moment has killed them, first 2 days they all got 403's and then they just stopped trolling my instance at all; I think it could be customized to your individual needs, I made it shareable, I wont maintain it, it works for me and if by chance it helps anyone well all the better, by all means adapt and modify it to your instance's needs and if it works share it with the community, security and privacy in numbers I say;