Accounts and sessions
Passwords are stored using a memory-hard password hash rather than reversible encryption. Sessions are invalidated after sensitive password changes, and account owners can enable time-based one-time-password two-factor authentication.
State-changing browser requests use same-origin and CSRF protections. Administrative routes require both a valid session and an administrator role. Password-protected image previews used for moderation stay behind this same role boundary and never expose a reusable bypass token.