I'm attempting my own live update service (LUS). While doing so I received a working version from Tru (username on this forum) and basically took that one and continued. He had changed the code files from tl to get it working so I needed to change that and found two working and tested alternatives but am not sure either is the way to go. So perhaps someone can give me some pointers?

Both of the methods require a frontend module to be created and added to a layout (or article). The generate function handles the POST variables that the systems sends. My first doubts are with the need for a frontend module; the only reason this is done is because Contao will call the generate method so I can then check the db and either approve or deny the request. Is there a way I can write the code as an extension adding only request.php to the root and -if needed- runonce.php (suppose I need to edit initConfig.php)

Method 1 (edit initconfig.php)
Because Contao checks the referer address to the current host just posting the variables to the LUS will generate an error (initialize.php will check the address unless no POST variables are present or $GLOBALS['TL_CONFIG']['disableRefererCheck'] is true). So method one adds some code to initconfig.php that decides to disable the referer check:
Code:
if (array_key_exists('ver', $_POST) && array_key_exists('ref', $_POST) && array_key_exists('uid', $_POST) && (array_key_exists('bup', $_POST) || array_key_exists('toc', $_POST))) {
	$GLOBALS['TL_CONFIG']['disableRefererCheck'] = 1;
}
After this has been done the index.php continues, the module was added to the default pages layout so the generate function runs, checks the request and redirects back to the clients Contao backend maintenance page. (Which then downloads the file and goes on)

My concern is that this disables a security feature.

Method 2 (bypass normal processing)
I made a custom folder "liveupdate". In the clients backend you can set the address similar to the default http://somerobots.com/liveupdate/ which I like. In that folder on the LUS are a request.php and index.php (which is called for the verificaion). The index.php checks for the variables and posts them to the LUS contao root page (../index.php) together with a referer address that is equal to the LUS address so Contao will not complain. The module generate function runs and outputs a verification status. The custom index.php reads the output and redirects back to the client. (which then can start downloading and so on)

This method does not disable the feature and will certainly not use custom variables that evil do-ers might have added. But it seems odd; client requests a page. That page requests the contao page (checks the request) and returns the result to client.