Deprecate check.tpo and move that functionality to the client
Right now, every time Tor browser starts up, it loads the same page. This is a risk for a huge watering hole attack. Compromising that one subdomain and serving an exploit will reliably compromise ~100% of Tor users. This would only take a single rogue CA (due to HPKP going away), and the compromise of one of any number of registrars. If the check is done locally client-side, such an exploit would be significantly more difficult and would have to exploit the a simple API.
Unlike the automatic updater which verifies a signature, the only signature relied upon by check.tpo is the TLS certificate. The web PKI is not ideal for protecting a single centralized page that is automatically opened by every Tor user, and only by Tor users.
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information