We should think about rate-limiting login and maybe other forms too to prevent spam or brute-forcing people's passwords. This django package for rate-limiting seems like it might work well.
Related are #70 and #24.
Also should think about and look for ess obvious bugs we might have security-wise in the UI. One example I fixed recently was that if you unsubscribed from a private group, the button would turn into "Re-subscribe" and let you re-add yourself. But since the group is private you should have to be added back.
We should think about rate-limiting login and maybe other forms too to prevent spam or brute-forcing people's passwords. This django package for rate-limiting seems like it might work well. Related are #70 and #24. Also should think about and look for ess obvious bugs we might have security-wise in the UI. One example I fixed recently was that if you unsubscribed from a private group, the button would turn into "Re-subscribe" and let you re-add yourself. But since the group is private you should have to be added back.