update readme with slugs table

README.md

@@ -20,7 +20,11 @@ of HTML + JS shows it in action:
     <script defer>
         const hits = document.getElementById('allhits');
         fetch('http://localhost:5000/hit/index.html').then((resp) => {
+            if (resp.ok) {
                 return resp.text();
+            } else {
+                return "I don't even know how many"
+            }
         }).then((data) => {
             hits.innerHTML = data;
         });
@@ -38,6 +42,15 @@ then visit http://localhost:3000 you should see that there is 1 hit, if this is
 you're trying it out. Reloading won't increment the count until the hour changes and you visit
 again, or you kill and restart Hitman.
 
+If you see a log message like `rejecting invalid slug index.html`,
+you'll need to add the allowed slugs into the `slugs` table:
+
+``` sql
+insert into slugs (slug) values ("index.html"), ("user");
+```
+
+See the note on security below.
+
 ### Privacy
 
 The IP from the request is hashed with the date, hour of day, `:page`, and a random 64-bit number
@@ -52,4 +65,6 @@ There is no need to put up a tracking consent form because nothing is being trac
 
 ### Security?
 
-Well, you need to give it a specific origin that is allowed to connect. Is this enough? (lol, no)
+Well, you need to give it a specific origin that is allowed to connect; this isn't really enough,
+though. To mitigate the potential for abuse, the code that registers a hit checks against a set of
+allowed slugs. Any time you add a new page to your site, you'll need to update the `slugs` table.