If I'm a malicious user who wants to bother someone that serves using Fanstatic and I know he uses some form of front-end cache, I can pollute that cache by generating a lot of bogus hash urls:
and so on
This will force a front-end cache to try to cache all those resources, even though they are in fact the same ones.
It should be possible to let the library check whether the hash used in the URL is in fact a legitimate one, and return a 404 if not.
This behavior might be a problem if someone is requesting a changed resource using the old hash. This would result in a 404 too. But since they were requesting the old resource that doesn't exist anymore, that's actually reasonable behavior. If a caching front end is in use, the caching frontend should be able to serve the old hash instead.
This hash checking is expensive and not useful during devmode, so this should be disabled in that case.