The note should POST to a generic URL rather than the unique URL. Currently, the index.html has the destination URL in the source. Although highly unprobable, and for all practical purposes, it is impossible, an attack could theoretically be achieved where the page is refreshed until the targeted URL is generated.
Done, to a degree. The POST URL has been taken down from /post/ to just /post/. However, the URL remains in a hidden input field in the source. I'm not going to worry about refreshing the page to find a target URL, seeing as though the code for generating the URL has changed.
The note should POST to a generic URL rather than the unique URL. Currently, the index.html has the destination URL in the source. Although highly unprobable, and for all practical purposes, it is impossible, an attack could theoretically be achieved where the page is refreshed until the targeted URL is generated.