diff --git a/proxy/TODO.txt b/proxy/TODO.txt
new file mode 100644
index 0000000..772309c
--- /dev/null
+++ b/proxy/TODO.txt
@@ -0,0 +1,6 @@
+TODO
+
+1) make index page nice (real html)
+2) REST error -> set headers?
+3) replace URLs
+4) file cache?
diff --git a/proxy/config.php b/proxy/config.php
index d5e64f8..0d7bd45 100644
--- a/proxy/config.php
+++ b/proxy/config.php
@@ -34,6 +34,7 @@ $rest_allowed_actions = array(
                             'email'                 => 'string',
                             'first_name'            => 'string',
                             'last_name'             => 'string',
+                            'organization_name'     => 'string',
                             'contact_type'          => array('Individual', 'Organization'),
                             'prefix'                => 'string',
                             'street_address'        => 'string',
@@ -47,6 +48,7 @@ $rest_allowed_actions = array(
       'addcontribution'     => array(
                             'contact_id'            => 'int',
                             'financial_type_id'     => 'int',
+                            'financial_type'        => 'string',
                             'payment_instrument'    => 'string',
                             'contribution_campaign' => 'string',
                             'total_amount'          => 'float2',
diff --git a/proxy/about.php b/proxy/index.php
similarity index 85%
rename from proxy/about.php
rename to proxy/index.php
index 3785dc8..babffbd 100644
--- a/proxy/about.php
+++ b/proxy/index.php
@@ -10,4 +10,5 @@
 require_once "config.php";
 require_once "proxy.php";
 
+// TODO: make nice
 print_r("SYSTOPIA CiviCRM Proxy Version $civiproxy_version");
\ No newline at end of file
diff --git a/proxy/open.php b/proxy/open.php
index adef197..0c9501b 100644
--- a/proxy/open.php
+++ b/proxy/open.php
@@ -10,6 +10,9 @@
 require_once "config.php";
 require_once "proxy.php";
 
+// basic check
+civiproxy_security_check('open');
+
 // basic restraints
 $valid_parameters = array(  'q'   => 'int'  );
 
diff --git a/proxy/proxy.php b/proxy/proxy.php
index 666ef29..2e9994c 100644
--- a/proxy/proxy.php
+++ b/proxy/proxy.php
@@ -21,8 +21,8 @@ require_once "config.php";
  *                               where type can be 'int', 'string' (unchecked),
  */
 function civiproxy_redirect($url_requested, $parameters) {
-  // error_log('CALLING: '.$url_requested);
-  // error_log(print_r($parameters,1));
+  error_log('CALLING: '.$url_requested);
+  error_log(print_r($parameters,1));
 
   $url = $url_requested;
   $curlSession = curl_init();
@@ -82,7 +82,6 @@ function civiproxy_redirect($url_requested, $parameters) {
     // TODO: do we need this?
     //rewrite all hard coded urls to ensure the links still work!
     //$body = str_replace($base,$mydomain,$body);
-
     print $body;
   }
 
@@ -90,6 +89,22 @@ function civiproxy_redirect($url_requested, $parameters) {
 }
 
 
+/**
+ * Will check the incoming connection.
+ * This hook allowes for (future) checks for flooding, spoofing, 
+ * unauthorized access quantities, etc.
+ * 
+ * @param $target  
+ * @param $quit    if TRUE, quit immediately if access denied
+ *
+ * @return TRUE if allowed, FALSE if not (or quits if $quit is set)
+ */
+function civiproxy_security_check($target, $quit=TRUE) {
+  // TODO: implement
+  return TRUE;
+}
+
+
 /**
  * extract and type check the parameters from the call params
  * 
@@ -106,7 +121,23 @@ function civiproxy_get_parameters($valid_parameters) {
         $value = (int) $value;
       } elseif ($type == 'string') {
         // TODO: sanitize? SQL?
-        $value = (int) $value;
+        $value = $value;
+      } elseif ($type == 'float2') {
+        // TODO: check if safe wrt l10n. rather use sprintf
+        $value = number_format($value, 2, '.', '');
+      } elseif (is_array($type)) {
+        // this is a list of valid options
+        $requested_value = $value;
+        $value = '';
+        foreach ($type as $allowed_value) {
+          if ($requested_value === $allowed_value) {
+            $value = $requested_value;
+            break;
+          }
+        }
+      } else {
+        error_log("CiviProxy: unknown type '$type'. Ignored.");
+        $value = '';
       }
       $result[$name] = $value;
     }
@@ -114,16 +145,3 @@ function civiproxy_get_parameters($valid_parameters) {
 
   return $result;
 }
-
-/**
- * responds with an error
- * 
- */
-function civiproxy_rest_error($message) {
-  $error = array( 'is_error'      => 1,
-                  'error_message' => $message);
-  // TODO: Implement
-  //header();
-  print $message;
-  exit(1);
-}
\ No newline at end of file
diff --git a/proxy/rest.php b/proxy/rest.php
index 0fc35ed..669c135 100644
--- a/proxy/rest.php
+++ b/proxy/rest.php
@@ -10,31 +10,69 @@
 require_once "config.php";
 require_once "proxy.php";
 
-// TODO: check for flooding, spoofing, etc.
+
+// basic check
+if (!civiproxy_security_check('rest')) {
+  civiproxy_rest_error("Access denied.");
+}
 
 // check credentials
-$credentials = civiproxy_get_parameters(array('site_key' => 'string', 'api_key' => 'string'));
-if (isset($sys_key_map[$credentials['site_key']])) {
-  $credentials['site_key'] = $credentials['site_key'];
+error_log(print_r($_REQUEST,1));
+$credentials = civiproxy_get_parameters(array('key' => 'string', 'api_key' => 'string'));
+error_log(print_r($credentials,1));
+if (empty($credentials['key'])) {
+  civiproxy_rest_error("No site key given");
 } else {
-  civiproxy_rest_error("Invalid site key");
+  if (isset($sys_key_map[$credentials['key']])) {
+    $credentials['key'] = $sys_key_map[$credentials['key']];
+  } else {
+    civiproxy_rest_error("Invalid site key");
+  }
 }
-if (isset($api_key_map[$credentials['api_key']])) {
-  $credentials['api_key'] = $credentials['api_key'];
+
+if (empty($credentials['api_key'])) {
+  civiproxy_rest_error("No API key given");
 } else {
-  civiproxy_rest_error("Invalid api key");
+  if (isset($api_key_map[$credentials['api_key']])) {
+    $credentials['api_key'] = $api_key_map[$credentials['api_key']];
+  } else {
+    civiproxy_rest_error("Invalid api key");
+  }
 }
 
 // check if the call itself is allowed
-$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int'));
+$action = civiproxy_get_parameters(array('entity' => 'string', 'action' => 'string', 'version' => 'int', 'json' => 'int', 'sequential' => 'int'));
 if (!isset($action['version']) || $action['version'] != 3) {
   civiproxy_rest_error("Invalid entity/action.");
 }
-if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']]) {
+if (isset($rest_allowed_actions[$action['entity']]) && isset($rest_allowed_actions[$action['entity']][$action['action']])) {
   $valid_parameters = $rest_allowed_actions[$action['entity']][$action['action']];
 } else {
   civiproxy_rest_error("Invalid entity/action.");
 }
 
+// extract parameters and add credentials and action data
 $parameters = civiproxy_get_parameters($valid_parameters);
+foreach ($credentials as $key => $value) {
+  $parameters[$key] = $value;
+}
+foreach ($action as $key => $value) {
+  $parameters[$key] = $value;
+}
+
+// finally execute query
 civiproxy_redirect($target_rest, $parameters);
+
+
+/**
+ * generates a CiviCRM REST API compliant error
+ * and ends processing
+ */
+function civiproxy_rest_error($message) {
+  $error = array( 'is_error'      => 1,
+                  'error_message' => $message);
+  // TODO: Implement
+  //header();
+  print json_encode($error);
+  exit();
+}
diff --git a/proxy/url.php b/proxy/url.php
index 057067f..e4fb355 100644
--- a/proxy/url.php
+++ b/proxy/url.php
@@ -10,6 +10,9 @@
 require_once "config.php";
 require_once "proxy.php";
 
+// basic check
+civiproxy_security_check('url');
+
 // basic restraints
 $valid_parameters = array(  'u'   => 'int',
                             'q'   => 'int',