In #183 it is said that aiohttp-security is used for server-side only, but can you provide some best-practices for login from a client?

I guess it is best to store the password in the database using pbkdf2_sha256 from passlib.hash. I think I have to trust SSL and send the password in plain because if someone manages to hijack the connection/manages a MITM-attack he can inject all kind of JavaScript that just invalidates every kind of Client-side security I can come up with.

Your ideas sound reasonable

OK, so I will just go with that and close this issue.