First of all you need to know that we are open-source service, and we can't afford special personal just for full-time abuse reading. In fact, this service not making any profit at all, but still need some money to run it.
Anyone can use this url-shortener to make redirect from shorter url located on hda.me/xxxxx to possibly any url. We didn't check original url, since this is against our and any reasonable private policy.
If you still willing to send abuse report to us after all, please use this template:
Email subject: Phishing report to hda.me We discovered phishing link on yours website: https://hda.me/link35235 Could you delete or change this link, please? Regards, Name, Corporation.
Email for abuse: firstname.lastname@example.org, and a copy to email@example.com, please.
By the way is better to check your security then deal with external resources if you give possibility to embed contents from remote resources or accept POST or another requests from
* this is your problem. What can you do is:
Access-Control-Allow-*headers. Is better when you allow access only from your website or your subdomains, and even if need to include remote resource like github or googleapis for example, you always can list exact resources, instead using
Content-Security-Policyheader, for example thats how github use it:
Content-Security-Policy: default-src 'none'; base-uri 'self'; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
X-Frame-Optionsheader, you could also look
Another more advanced options could be to enable certificate pinning (you can't fully use it with cheap or free CDN plans), enable DNSSEC (could be possible with cloudflare CDN) and TLSA records for your website. More interesting option will be two-factor authentication, or certificates for clients sign-in.