dstoffel

passwords salts should not be stored within the same storage as the password hash to protect the hash in case of database breach.

All json based action should be protected against CSRF. (specifically /delnotif) Others forms seems to be protected with flask's built-in CSRF protection.

Token : change email/reset password These token should not be constructed with a JSON Web Signature because it is vulnerable to an offline bruteforce attack and it provide the ability...