diff --git a/src/models/user.go b/src/models/user.go
index 4d235856..58c3a033 100644
--- a/src/models/user.go
+++ b/src/models/user.go
@@ -32,7 +32,7 @@ type User struct {
 	Bio       string  `db:"bio"`
 	Blurb     string  `db:"blurb"`
 	Signature string  `db:"signature"`
-	Avatar    *string `db:"avatar"` // TODO: Image field stuff?
+	Avatar    *string `db:"avatar"`
 
 	DarkTheme bool   `db:"darktheme"`
 	Timezone  string `db:"timezone"`
diff --git a/src/templates/src/blog_index.html b/src/templates/src/blog_index.html
index 2972fdb2..177b8a00 100644
--- a/src/templates/src/blog_index.html
+++ b/src/templates/src/blog_index.html
@@ -11,7 +11,6 @@
         {{ template "pagination.html" .Pagination }}
     </div>
 </div>
-{{/* TODO: Breadcrumbs, or some other link back to the blog index */}}
 {{ if .Posts }}
     {{ range .Posts }}
         <div class="flex items-start ph3 pv3 background-even">
diff --git a/src/templates/src/feed.html b/src/templates/src/feed.html
index 937b06ce..3646c085 100644
--- a/src/templates/src/feed.html
+++ b/src/templates/src/feed.html
@@ -1,11 +1,5 @@
 {{ template "base.html" . }}
 
-{{ define "extrahead" }}
-{{/* TODO
-<script type="text/javascript" src="{% static 'util.js' %}?v={% cachebust %}"></script>
-*/}}
-{{ end }}
-
 {{ define "content" }}
 <div class="content-block">
     <div class="optionbar">
diff --git a/src/templates/src/include/header.html b/src/templates/src/include/header.html
index a58e905e..fb981950 100644
--- a/src/templates/src/include/header.html
+++ b/src/templates/src/include/header.html
@@ -11,7 +11,6 @@
             <a class="login" id="login-link" href="{{ .LoginPageUrl }}">Log in</a>
             <div id="login-popup">
                 <form action="{{ .Header.LoginActionUrl }}" method="post">
-                    {{/* TODO: CSRF */}}
                     <table>
                         <tr>
                             <th><label>Username:</label></th>
@@ -21,8 +20,8 @@
                             <th><label>Password:</label></th>
                             <td><input type="password" name="password" class="textbox password" value="" /></td>
                         </tr>
-                        {{/* TODO: Forgot password flow? Or just on standalone page? */}}
                     </table>
+					<a class="db" style="padding: 0.5rem 0;" href="{{ .Header.ForgotPasswordUrl }}">Forgot your password?</a>
                     <input type="hidden" name="redirect" value="{{ $.CurrentUrl }}">
                     <div class="pt2">
                         <input type="submit" value="Log In" />
diff --git a/src/templates/src/showcase.html b/src/templates/src/showcase.html
index 5c8522e6..75bcb5e6 100644
--- a/src/templates/src/showcase.html
+++ b/src/templates/src/showcase.html
@@ -46,7 +46,7 @@
 		let currentYear = null;
 		for (let i = 0; i < showcaseItems.length; i++) {
 			const item = showcaseItems[i];
-			const date = new Date(item.date * 1000); // TODO(asaf): Verify that this is still correct with our new JSON marshalling
+			const date = new Date(item.date * 1000);
 
 			if (date.getMonth() !== currentMonth || date.getFullYear() !== currentYear) {
 				if (currentMonthElements.length > 0) {
diff --git a/src/templates/templates.go b/src/templates/templates.go
index 256c5371..7de7face 100644
--- a/src/templates/templates.go
+++ b/src/templates/templates.go
@@ -249,12 +249,3 @@ var HMNTemplateFuncs = template.FuncMap{
 		return snippet.Type == TimelineTypeSnippetYoutube
 	},
 }
-
-// TODO(asaf): Delete these?
-type ErrInvalidHexColor struct {
-	color string
-}
-
-func (e ErrInvalidHexColor) Error() string {
-	return fmt.Sprintf("invalid hex color: %s", e.color)
-}
diff --git a/src/templates/types.go b/src/templates/types.go
index 248ef5ad..7d4f1ca7 100644
--- a/src/templates/types.go
+++ b/src/templates/types.go
@@ -42,6 +42,7 @@ type Header struct {
 	UserSettingsUrl    string
 	LoginActionUrl     string
 	LogoutActionUrl    string
+	ForgotPasswordUrl  string
 	RegisterUrl        string
 	HMNHomepageUrl     string
 	ProjectHomepageUrl string
diff --git a/src/website/auth.go b/src/website/auth.go
index 3eab2039..e21ba862 100644
--- a/src/website/auth.go
+++ b/src/website/auth.go
@@ -18,11 +18,6 @@ import (
 	"git.handmade.network/hmn/hmn/src/templates"
 )
 
-// TODO(asaf): Add a middleware that guarantees the certain handlers will take at least X amount of time.
-//             Will be relevant for:
-//             * Login POST
-//             * Register POST
-
 var UsernameRegex = regexp.MustCompile(`^[0-9a-zA-Z][\w-]{2,29}$`)
 
 type LoginPageData struct {
@@ -46,7 +41,6 @@ func LoginPage(c *RequestContext) ResponseData {
 }
 
 func Login(c *RequestContext) ResponseData {
-	// TODO: Update this endpoint to give uniform responses on errors and to be resilient to timing attacks.
 	if c.CurrentUser != nil {
 		return RejectRequest(c, "You are already logged in.")
 	}
diff --git a/src/website/forums.go b/src/website/forums.go
index 00e96fe7..a22f11ec 100644
--- a/src/website/forums.go
+++ b/src/website/forums.go
@@ -190,7 +190,6 @@ func Forum(c *RequestContext) ResponseData {
 
 		for _, sfNode := range subforumNodes {
 			c.Perf.StartBlock("SQL", "Fetch count of subforum threads")
-			// TODO(asaf): [PERF] [MINOR] Consider replacing querying count per subforum with a single query for all subforums with GROUP BY.
 			numThreads, err := db.QueryInt(c.Context(), c.Conn,
 				`
 				SELECT COUNT(*)
@@ -207,7 +206,6 @@ func Forum(c *RequestContext) ResponseData {
 			c.Perf.EndBlock()
 
 			c.Perf.StartBlock("SQL", "Fetch subforum threads")
-			// TODO(asaf): [PERF] [MINOR] Consider batching these.
 			itThreads, err := db.Query(c.Context(), c.Conn, threadQueryResult{},
 				`
 				SELECT $columns
@@ -261,7 +259,7 @@ func Forum(c *RequestContext) ResponseData {
 
 	baseData := getBaseData(c)
 	baseData.Title = c.CurrentProject.Name + " Forums"
-	baseData.Breadcrumbs = []templates.Breadcrumb{ // TODO(ben): This is wrong; it needs to account for subforums.
+	baseData.Breadcrumbs = []templates.Breadcrumb{
 		{
 			Name: c.CurrentProject.Name,
 			Url:  hmnurl.BuildProjectHomepage(c.CurrentProject.Slug),
diff --git a/src/website/requesthandling.go b/src/website/requesthandling.go
index b12de9d7..57e3e49a 100644
--- a/src/website/requesthandling.go
+++ b/src/website/requesthandling.go
@@ -140,11 +140,21 @@ func (c *RequestContext) URL() *url.URL {
 }
 
 func (c *RequestContext) FullUrl() string {
-	var scheme string // TODO(asaf): BEFORE RELEASE!! Fetch scheme from X-Forwarded-* headers or Forwarded header
-	if c.Req.TLS != nil {
-		scheme = "https://"
-	} else {
-		scheme = "http://"
+	var scheme string
+
+	if scheme == "" {
+		proto, hasProto := c.Req.Header["X-Forwarded-Proto"]
+		if hasProto {
+			scheme = fmt.Sprintf("%s://", proto)
+		}
+	}
+
+	if scheme == "" {
+		if c.Req.TLS != nil {
+			scheme = "https://"
+		} else {
+			scheme = "http://"
+		}
 	}
 	return scheme + c.Req.Host + c.Req.URL.String()
 }
diff --git a/src/website/routes.go b/src/website/routes.go
index 10aef4c6..ebea9c5b 100644
--- a/src/website/routes.go
+++ b/src/website/routes.go
@@ -170,7 +170,7 @@ func NewWebsiteRoutes(longRequestContext context.Context, conn *pgxpool.Pool, pe
 	// NOTE(asaf): HMN-only routes:
 	mainRoutes.GET(hmnurl.RegexOldHome, Index)
 
-	mainRoutes.POST(hmnurl.RegexLoginAction, Login)
+	mainRoutes.POST(hmnurl.RegexLoginAction, securityTimerMiddleware(time.Millisecond*100, Login)) // TODO(asaf): Adjust this after launch
 	mainRoutes.GET(hmnurl.RegexLogoutAction, Logout)
 	mainRoutes.GET(hmnurl.RegexLoginPage, LoginPage)
 
@@ -297,6 +297,7 @@ func getBaseData(c *RequestContext) templates.BaseData {
 			UserSettingsUrl:    hmnurl.BuildUserSettings(""),
 			LoginActionUrl:     hmnurl.BuildLoginAction(c.FullUrl()),
 			LogoutActionUrl:    hmnurl.BuildLogoutAction(c.FullUrl()),
+			ForgotPasswordUrl:  hmnurl.BuildRequestPasswordReset(),
 			RegisterUrl:        hmnurl.BuildRegister(),
 			HMNHomepageUrl:     hmnurl.BuildHomepage(),
 			ProjectHomepageUrl: hmnurl.BuildProjectHomepage(c.CurrentProject.Slug),