Hey,

I noticed a possible XSS (https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) vulnerability in line:
https://github.com/kylewm/woodwind/blob/82fc01dbf489185feda2e7c2037c76d1f44f4b85/woodwind/push.py#L40

Unsanitized user input gets into flask.make_response() and then into user's browser. This opens a possibility for the attacker to supply input like "<script>some_code</script>" and execute arbitrary code in user's browser.

I'm not sure how your application is meant to be deployed, but if an attacker may trick an honest user to access "your_site.com/_notify/feed_id?hub.mode=subscribe&topic=attack_vector", then this is a security risk and you should consider fixing it.

Cheers!