We thought about it but: - this a statically generated site (SSG using Next.js), so there's backend runtime for the FE itself. - we do have a contact form, but under the hood it sends an email to our own inbox through internal APIs and the destination email is hard-coded, so I don't think they could hijack this (will check the audit log just in case). - it's hosted using Cloudflare pages - the worker/api part is severely rate limited - we would notice abuse since we have low monthly email sending limits on this api service