Security

No passwords

Sha256 hash based magic link.

Cookies

In theory most security issues listed here can be bypassed if someone has access to your laptop with your bowser open. I did raise an issue with Firefox/Safari about password protecting DevTools but they were not interested in protecting cookies from being snooped.

Cookies are stored securely and available for just the path “/home”. Always use official bowsers.

Injection

SQL injection is protected. Notebook name protected against code injection.

CSRF

Only one public form used for login. Notebooks can be public, with unknown scripts. How secure are they ?

Form Size Limit

5mb

One database per user

If one user is compromised the entire system is not compromised.

Future

Offer encrypted database.