diff --git a/VKAPI/Handlers/Audio.php b/VKAPI/Handlers/Audio.php
index df9cf935..3e133ffa 100644
--- a/VKAPI/Handlers/Audio.php
+++ b/VKAPI/Handlers/Audio.php
@@ -21,13 +21,7 @@ final class Audio extends VKAPIRequestHandler
             $this->fail(201, "Access denied to audio(" . $audio->getId() . ")");
         }
 
-        # рофлан ебало
-        $privApi  = $hash && $GLOBALS["csrfCheck"];
         $audioObj = $audio->toVkApiStruct($this->getUser());
-        if (!$privApi) {
-            $audioObj->manifest = false;
-            $audioObj->keys     = false;
-        }
 
         if ($need_user) {
             $user = (new \openvk\Web\Models\Repositories\Users())->get($audio->getOwner()->getId());
diff --git a/Web/Models/Entities/Note.php b/Web/Models/Entities/Note.php
index a44c421b..b9829822 100644
--- a/Web/Models/Entities/Note.php
+++ b/Web/Models/Entities/Note.php
@@ -6,12 +6,42 @@ namespace openvk\Web\Models\Entities;
 
 use HTMLPurifier_Config;
 use HTMLPurifier;
+use HTMLPurifier_Filter;
+
+class SecurityFilter extends HTMLPurifier_Filter
+{
+    public function preFilter($html, $config, $context)
+    {
+        $html = preg_replace_callback(
+            '/<img[^>]*src\s*=\s*["\']([^"\']*)["\'][^>]*>/i',
+            function ($matches) {
+                $originalSrc = $matches[1];
+                $src = $originalSrc;
+
+                if (OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true) {
+                    if (!str_contains($src, "/image.php?url=")) {
+                        $src = '/image.php?url=' . base64_encode($originalSrc);
+                    } /*else {
+                        $src = preg_replace_callback('/(.*)\/image\.php\?url=(.*)/i', function ($matches) {
+                            return base64_decode($matches[2]);
+                        }, $src);
+                    }*/
+                }
+
+                return str_replace($originalSrc, $src, $matches[0]);
+            },
+            $html
+        );
+
+        return $html;
+    }
+}
 
 class Note extends Postable
 {
     protected $tableName = "notes";
 
-    protected function renderHTML(): string
+    protected function renderHTML(?string $content = null): string
     {
         $config = HTMLPurifier_Config::createDefault();
         $config->set("Attr.AllowedClasses", []);
@@ -78,16 +108,19 @@ class Note extends Postable
         $config->set("Attr.AllowedClasses", [
             "underline",
         ]);
+        $config->set('Filter.Custom', [new SecurityFilter()]);
 
-        $source = null;
-        if (is_null($this->getRecord())) {
-            if (isset($this->changes["source"])) {
-                $source = $this->changes["source"];
+        $source = $content;
+        if (!$source) {
+            if (is_null($this->getRecord())) {
+                if (isset($this->changes["source"])) {
+                    $source = $this->changes["source"];
+                } else {
+                    throw new \LogicException("Can't render note without content set.");
+                }
             } else {
-                throw new \LogicException("Can't render note without content set.");
+                $source = $this->getRecord()->source;
             }
-        } else {
-            $source = $this->getRecord()->source;
         }
 
         $purifier = new HTMLPurifier($config);
@@ -117,7 +150,7 @@ class Note extends Postable
             $this->save();
         }
 
-        return $cached;
+        return $this->renderHTML($cached);
     }
 
     public function getSource(): string
diff --git a/Web/Presenters/InternalAPIPresenter.php b/Web/Presenters/InternalAPIPresenter.php
index 464059cb..eb9daac2 100644
--- a/Web/Presenters/InternalAPIPresenter.php
+++ b/Web/Presenters/InternalAPIPresenter.php
@@ -176,4 +176,26 @@ final class InternalAPIPresenter extends OpenVKPresenter
             exit('');
         }
     }
+
+    public function renderImageFilter()
+    {
+        $is_enabled = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true;
+        $allowed_hosts = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["allowedHosts"] ?? [];
+
+        $url = $this->requestParam("url");
+        $url = base64_decode($url);
+
+        if (!$is_enabled) {
+            $this->redirect($url);
+        }
+
+        $url_parsed = parse_url($url);
+        $host = $url_parsed['host'];
+
+        if (in_array($host, $allowed_hosts)) {
+            $this->redirect($url);
+        } else {
+            $this->redirect('/assets/packages/static/openvk/img/fn_placeholder.jpg');
+        }
+    }
 }
diff --git a/Web/Presenters/templates/About/Version.xml b/Web/Presenters/templates/About/Version.xml
index c4d9c132..8b61d41c 100644
--- a/Web/Presenters/templates/About/Version.xml
+++ b/Web/Presenters/templates/About/Version.xml
@@ -385,8 +385,8 @@
                 <tr>
                     <td class="e">
                         Vladimir Barinov (veselcraft), Celestora, Konstantin Kichulkin (kosfurler),
-                        Daniel Myslivets, Maxim Leshchenko (maksales / maksalees), n1rwana and
-                        Jillian Österreich (Lumaeris)
+                        Daniel Myslivets, Maxim Leshchenko (maksales / maksalees), n1rwana,
+                        Jillian Österreich (Lumaeris) and MrIlyew (V00d00 M4g1c)
                     </td>
                 </tr>
             </tbody>
@@ -472,7 +472,7 @@
             </tbody>
         </table>
 
-        <table>
+        {*<table>
             <tbody>
                 <tr class="h">
                     <th>OpenVK QA Team</th>
@@ -486,7 +486,7 @@
                     </td>
                 </tr>
             </tbody>
-        </table>
+        </table>*}
 
         <hr/>
 
diff --git a/Web/Presenters/templates/components/textArea.xml b/Web/Presenters/templates/components/textArea.xml
index 2be32280..c516eca2 100644
--- a/Web/Presenters/templates/components/textArea.xml
+++ b/Web/Presenters/templates/components/textArea.xml
@@ -22,6 +22,8 @@
 
                 {if !is_null($thisUser) && !is_null($club ?? NULL) && $owner < 0}
                     {if $club->canBeModifiedBy($thisUser)}
+                        {var $anonHide = true}
+
                         <script>
                             function onWallAsGroupClick(el) {
                                 document.querySelector("#forceSignOpt").style.display = el.checked ? "block" : "none";
@@ -41,7 +43,7 @@
                     {/if}
                 {/if}
                 
-                <label n:if="$anonEnabled" id="octoberAnonOpt" style="display: none;">
+                <label n:if="$anonEnabled" id="octoberAnonOpt" {if $anonHide}style="display: none;"{/if}>
                     <input type="checkbox" name="anon" /> {_as_anonymous}
                 </label>
                 
diff --git a/Web/routes.yml b/Web/routes.yml
index 9738b740..f1cf2af6 100644
--- a/Web/routes.yml
+++ b/Web/routes.yml
@@ -413,6 +413,8 @@ routes:
       handler: "InternalAPI->getPhotosFromPost"
     - url: "/iapi/getPostTemplate/{num}_{num}"
       handler: "InternalAPI->getPostTemplate"
+    - url: "/image.php"
+      handler: "InternalAPI->imageFilter"
     - url: "/tour"
       handler: "About->tour"
     - url: "/fave"
diff --git a/Web/static/img/fn_placeholder.jpg b/Web/static/img/fn_placeholder.jpg
new file mode 100644
index 00000000..cdcaf5c5
Binary files /dev/null and b/Web/static/img/fn_placeholder.jpg differ
diff --git a/openvk-example.yml b/openvk-example.yml
index 6f26803b..525d7cf8 100644
--- a/openvk-example.yml
+++ b/openvk-example.yml
@@ -60,6 +60,9 @@ openvk:
             exposeOriginalURLs: true
         newsfeed:
             ignoredSourcesLimit: 50
+        notes:
+            disableHotlinking: true
+            allowedHosts: []
         wall:
             christian: false
             anonymousPosting: