Brute-force attack countermeasures and CSRF prevention would be awesome. ouo For the brute force, it could be something like if a user has 5 failed logins, their account would be locked for a certain period of time (The number of login attempts and the blocked attacker's IP being stored in the database?). For the CSRF, perhaps
something like the chosen answer here? c: