* forbid XML with DOCTYPE * use a common HMAC method for consistency * Generate a secret key and store it in local config if it does not exist