diff --git a/README.md b/README.md
index deff25e4..cc02cfeb 100644
--- a/README.md
+++ b/README.md
@@ -358,11 +358,13 @@ the browser has the following hotkeys  (always qwerty)
   * `U/O` skip 10sec back/forward
   * `0..9` jump to 0%..90%
   * `P` play/pause (also starts playing the folder)
+  * `Y` download file
 * when viewing images / playing videos:
   * `J/L, Left/Right` prev/next file
   * `Home/End` first/last file
   * `S` toggle selection
   * `R` rotate clockwise (shift=ccw)
+  * `Y` download file
   * `Esc` close viewer
   * videos:
     * `U/O` skip 10sec back/forward
@@ -989,13 +991,25 @@ when uploading files,
 
 some notes on hardening
 
-on public copyparty instances with anonymous upload enabled:
+* option `-s` is a shortcut to set the following options:
+  * `--no-thumb` disables thumbnails and audio transcoding to stop copyparty from running `FFmpeg`/`Pillow`/`VIPS` on uploaded files, which is a [good idea](https://www.cvedetails.com/vulnerability-list.php?vendor_id=3611) if anonymous upload is enabled
+  * `--no-mtag-ff` uses `mutagen` to grab music tags instead of `FFmpeg`, which is safer and faster but less accurate
+  * `--dotpart` hides uploads from directory listings while they're still incoming
+  * `--no-robots` and `--force-js` makes life harder for crawlers, see [hiding from google](#hiding-from-google)
 
-* users can upload html/css/js which will evaluate for other visitors in a few ways,
-  * unless `--no-readme` is set: by uploading/modifying a file named `readme.md`
-  * if `move` access is granted AND none of `--no-logues`, `--no-dot-mv`, `--no-dot-ren` is set: by uploading some .html file and renaming it to `.epilogue.html` (uploading it directly is blocked)
+* option `-ss` is a shortcut for the above plus:
+  * `--no-logues` and `--no-readme` disables support for readme's and prologues / epilogues in directory listings, which otherwise lets people upload arbitrary `<script>` tags
+  * `--unpost 0`, `--no-del`, `--no-mv` disables all move/delete support
+  * `--hardlink` creates hardlinks instead of symlinks when deduplicating uploads, which is less maintenance
+    * however note if you edit one file it will also affect the other copies
+  * `--vague-403` returns a "404 not found" instead of "403 forbidden" which is a common enterprise meme
+  * `--nih` removes the server hostname from directory listings
 
-other misc:
+* option `-sss` is a shortcut for the above plus:
+  * `-lo cpp-%Y-%m%d-%H%M%S.txt.xz` enables logging to disk
+  * `-ls **,*,ln,p,r` does a scan on startup for any dangerous symlinks
+
+other misc notes:
 
 * you can disable directory listings by giving permission `g` instead of `r`, only accepting direct URLs to files
   * combine this with volume-flag `c,fk` to generate per-file accesskeys; users which have full read-access will then see URLs with `?k=...` appended to the end, and `g` users must provide that URL including the correct key to avoid a 404
diff --git a/bin/mtag/very-bad-idea.py b/bin/mtag/very-bad-idea.py
index bd55e25d..eb161906 100755
--- a/bin/mtag/very-bad-idea.py
+++ b/bin/mtag/very-bad-idea.py
@@ -63,7 +63,7 @@ set -e
 EOF
 chmod 755 /usr/local/bin/chromium-browser
 
-# start the server  (note: replace `-v.::rw:` with `-v.::r:` to disallow retrieving uploaded stuff)
+# start the server  (note: replace `-v.::rw:` with `-v.::w:` to disallow retrieving uploaded stuff)
 cd ~/Downloads; python3 copyparty-sfx.py --urlform save,get -v.::rw:c,e2d,e2t,mte=+a1:c,mtp=a1=ad,very-bad-idea.py
 
 """
diff --git a/copyparty/svchub.py b/copyparty/svchub.py
index 556b6652..774a8ea4 100644
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@@ -64,8 +64,8 @@ class SvcHub(object):
 
         if args.ss or args.s >= 2:
             args.s = True
-            args.no_dot_mv = True
-            args.no_dot_ren = True
+            args.no_logues = True
+            args.no_readme = True
             args.unpost = 0
             args.no_del = True
             args.no_mv = True
diff --git a/copyparty/web/browser.css b/copyparty/web/browser.css
index 2b520bf5..e1f56d3d 100644
--- a/copyparty/web/browser.css
+++ b/copyparty/web/browser.css
@@ -371,7 +371,7 @@ html.dz {
 	--bg: #010;
 	--bgg: var(--bg);
 	--bg-d1: #000;
-	--bg-d2: #000;
+	--bg-d2: #020;
 	--bg-d3: #000;
 	--bg-max: #000;
 
@@ -381,8 +381,8 @@ html.dz {
 	--scroll: #0f0;
 
 	--a: #9f9;
-	--a-b: #fff;
-	--a-hil: #fff;
+	--a-b: #cfc;
+	--a-hil: #cfc;
 	--a-dark: #afa;
 	--a-gray: #2a2;
 
@@ -458,7 +458,7 @@ html.dz {
 	--f-sh1: 0.33;
 	--f-sh2: 0.02;
 	--f-sh3: 0.2;
-	--f-h-b1: rgba(128,128,128,0.7);
+	--f-h-b1: #3b3;
 
 	--f-play-bg: #fc5;
 	--f-play-fg: #000;
@@ -2778,6 +2778,17 @@ html.cy #files tbody div a:last-child {
 
 
 
+
+html.dz * {
+	border-radius: 0 !important;
+}
+html.d #treepar {
+	border-bottom: .2em solid var(--f-h-b1);
+}
+
+
+
+
 @media (min-width: 70em) {
 	#barpos,
 	#barbuf {