- url unescaping (uriparser? libcurl?)
- parse request headers (ie Authentication)
- threading or async
- optional allowlist of available paths (throw something else on unavailable ones)
- denylist of known-bad url strings