Client security
brean opened this issue · comments
Andreas Bresser commented
In #183 it is said that aiohttp-security is used for server-side only, but can you provide some best-practices for login from a client?
I guess it is best to store the password in the database using pbkdf2_sha256 from passlib.hash. I think I have to trust SSL and send the password in plain because if someone manages to hijack the connection/manages a MITM-attack he can inject all kind of JavaScript that just invalidates every kind of Client-side security I can come up with.
Andrew Svetlov commented
Your ideas sound reasonable
Andreas Bresser commented
OK, so I will just go with that and close this issue.