SSL

[nickstenning]

At least the login/signup pages, and more likely the whole website, should be secured with SSL.

It's likely that it's possible to do this even for the API without introducing any breakage, because browsers are obliged to follow redirects on XHR requests transparently. I've had issues with this with CORS, in the past, so it may be that only the token generator endpoint can be secured.

[rufuspollock]

Big +1.

[melat0nin]

Yep it's a serious problem now that TLS is proliferating much quicker thanks to initiatives like letsencrypt.

For my part I implemented a local sqlite store using ikr/annotator-store-lite and it works well, and it's the same server so of course TLS isn't an issue.