diff --git a/.gitignore b/.gitignore
index 37ce1aa50..1a86cb06b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -40,3 +40,7 @@ nosetests.xml
 
 # Virtual environment
 venv
+
+# Environment files
+.env
+.env-mysql
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000000000..88d94d100
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,21 @@
+FROM python:3.6-alpine
+
+ENV FLASK_APP flasky.py
+ENV FLASK_CONFIG production
+
+RUN adduser -D flasky
+USER flasky
+
+WORKDIR /home/flasky
+
+COPY requirements requirements
+RUN python -m venv venv
+RUN venv/bin/pip install -r requirements/docker.txt
+
+COPY app app
+COPY migrations migrations
+COPY flasky.py config.py boot.sh ./
+
+# run-time configuration
+EXPOSE 5000
+ENTRYPOINT ["./boot.sh"]
diff --git a/Procfile b/Procfile
new file mode 100644
index 000000000..541c902b3
--- /dev/null
+++ b/Procfile
@@ -0,0 +1 @@
+web: gunicorn flasky:app
diff --git a/app/__init__.py b/app/__init__.py
index 0326ca671..a0d325a37 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -29,10 +29,17 @@ def create_app(config_name):
     login_manager.init_app(app)
     pagedown.init_app(app)
 
+    if app.config['SSL_REDIRECT']:
+        from flask_sslify import SSLify
+        sslify = SSLify(app)
+
     from .main import main as main_blueprint
     app.register_blueprint(main_blueprint)
 
     from .auth import auth as auth_blueprint
     app.register_blueprint(auth_blueprint, url_prefix='/auth')
 
+    from .api import api as api_blueprint
+    app.register_blueprint(api_blueprint, url_prefix='/api/v1')
+
     return app
diff --git a/app/api/__init__.py b/app/api/__init__.py
new file mode 100644
index 000000000..f029d5385
--- /dev/null
+++ b/app/api/__init__.py
@@ -0,0 +1,5 @@
+from flask import Blueprint
+
+api = Blueprint('api', __name__)
+
+from . import authentication, posts, users, comments, errors
diff --git a/app/api/authentication.py b/app/api/authentication.py
new file mode 100644
index 000000000..a9c66f4e9
--- /dev/null
+++ b/app/api/authentication.py
@@ -0,0 +1,44 @@
+from flask import g, jsonify
+from flask_httpauth import HTTPBasicAuth
+from ..models import User
+from . import api
+from .errors import unauthorized, forbidden
+
+auth = HTTPBasicAuth()
+
+
+@auth.verify_password
+def verify_password(email_or_token, password):
+    if email_or_token == '':
+        return False
+    if password == '':
+        g.current_user = User.verify_auth_token(email_or_token)
+        g.token_used = True
+        return g.current_user is not None
+    user = User.query.filter_by(email=email_or_token.lower()).first()
+    if not user:
+        return False
+    g.current_user = user
+    g.token_used = False
+    return user.verify_password(password)
+
+
+@auth.error_handler
+def auth_error():
+    return unauthorized('Invalid credentials')
+
+
+@api.before_request
+@auth.login_required
+def before_request():
+    if not g.current_user.is_anonymous and \
+            not g.current_user.confirmed:
+        return forbidden('Unconfirmed account')
+
+
+@api.route('/tokens/', methods=['POST'])
+def get_token():
+    if g.current_user.is_anonymous or g.token_used:
+        return unauthorized('Invalid credentials')
+    return jsonify({'token': g.current_user.generate_auth_token(
+        expiration=3600), 'expiration': 3600})
diff --git a/app/api/comments.py b/app/api/comments.py
new file mode 100644
index 000000000..1ecd4b03f
--- /dev/null
+++ b/app/api/comments.py
@@ -0,0 +1,67 @@
+from flask import jsonify, request, g, url_for, current_app
+from .. import db
+from ..models import Post, Permission, Comment
+from . import api
+from .decorators import permission_required
+
+
+@api.route('/comments/')
+def get_comments():
+    page = request.args.get('page', 1, type=int)
+    pagination = Comment.query.order_by(Comment.timestamp.desc()).paginate(
+        page, per_page=current_app.config['FLASKY_COMMENTS_PER_PAGE'],
+        error_out=False)
+    comments = pagination.items
+    prev = None
+    if pagination.has_prev:
+        prev = url_for('api.get_comments', page=page-1)
+    next = None
+    if pagination.has_next:
+        next = url_for('api.get_comments', page=page+1)
+    return jsonify({
+        'comments': [comment.to_json() for comment in comments],
+        'prev': prev,
+        'next': next,
+        'count': pagination.total
+    })
+
+
+@api.route('/comments/<int:id>')
+def get_comment(id):
+    comment = Comment.query.get_or_404(id)
+    return jsonify(comment.to_json())
+
+
+@api.route('/posts/<int:id>/comments/')
+def get_post_comments(id):
+    post = Post.query.get_or_404(id)
+    page = request.args.get('page', 1, type=int)
+    pagination = post.comments.order_by(Comment.timestamp.asc()).paginate(
+        page, per_page=current_app.config['FLASKY_COMMENTS_PER_PAGE'],
+        error_out=False)
+    comments = pagination.items
+    prev = None
+    if pagination.has_prev:
+        prev = url_for('api.get_post_comments', id=id, page=page-1)
+    next = None
+    if pagination.has_next:
+        next = url_for('api.get_post_comments', id=id, page=page+1)
+    return jsonify({
+        'comments': [comment.to_json() for comment in comments],
+        'prev': prev,
+        'next': next,
+        'count': pagination.total
+    })
+
+
+@api.route('/posts/<int:id>/comments/', methods=['POST'])
+@permission_required(Permission.COMMENT)
+def new_post_comment(id):
+    post = Post.query.get_or_404(id)
+    comment = Comment.from_json(request.json)
+    comment.author = g.current_user
+    comment.post = post
+    db.session.add(comment)
+    db.session.commit()
+    return jsonify(comment.to_json()), 201, \
+        {'Location': url_for('api.get_comment', id=comment.id)}
diff --git a/app/api/decorators.py b/app/api/decorators.py
new file mode 100644
index 000000000..4b7086821
--- /dev/null
+++ b/app/api/decorators.py
@@ -0,0 +1,14 @@
+from functools import wraps
+from flask import g
+from .errors import forbidden
+
+
+def permission_required(permission):
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            if not g.current_user.can(permission):
+                return forbidden('Insufficient permissions')
+            return f(*args, **kwargs)
+        return decorated_function
+    return decorator
diff --git a/app/api/errors.py b/app/api/errors.py
new file mode 100644
index 000000000..d176c8999
--- /dev/null
+++ b/app/api/errors.py
@@ -0,0 +1,26 @@
+from flask import jsonify
+from app.exceptions import ValidationError
+from . import api
+
+
+def bad_request(message):
+    response = jsonify({'error': 'bad request', 'message': message})
+    response.status_code = 400
+    return response
+
+
+def unauthorized(message):
+    response = jsonify({'error': 'unauthorized', 'message': message})
+    response.status_code = 401
+    return response
+
+
+def forbidden(message):
+    response = jsonify({'error': 'forbidden', 'message': message})
+    response.status_code = 403
+    return response
+
+
+@api.errorhandler(ValidationError)
+def validation_error(e):
+    return bad_request(e.args[0])
diff --git a/app/api/posts.py b/app/api/posts.py
new file mode 100644
index 000000000..c0123b825
--- /dev/null
+++ b/app/api/posts.py
@@ -0,0 +1,57 @@
+from flask import jsonify, request, g, url_for, current_app
+from .. import db
+from ..models import Post, Permission
+from . import api
+from .decorators import permission_required
+from .errors import forbidden
+
+
+@api.route('/posts/')
+def get_posts():
+    page = request.args.get('page', 1, type=int)
+    pagination = Post.query.paginate(
+        page, per_page=current_app.config['FLASKY_POSTS_PER_PAGE'],
+        error_out=False)
+    posts = pagination.items
+    prev = None
+    if pagination.has_prev:
+        prev = url_for('api.get_posts', page=page-1)
+    next = None
+    if pagination.has_next:
+        next = url_for('api.get_posts', page=page+1)
+    return jsonify({
+        'posts': [post.to_json() for post in posts],
+        'prev': prev,
+        'next': next,
+        'count': pagination.total
+    })
+
+
+@api.route('/posts/<int:id>')
+def get_post(id):
+    post = Post.query.get_or_404(id)
+    return jsonify(post.to_json())
+
+
+@api.route('/posts/', methods=['POST'])
+@permission_required(Permission.WRITE)
+def new_post():
+    post = Post.from_json(request.json)
+    post.author = g.current_user
+    db.session.add(post)
+    db.session.commit()
+    return jsonify(post.to_json()), 201, \
+        {'Location': url_for('api.get_post', id=post.id)}
+
+
+@api.route('/posts/<int:id>', methods=['PUT'])
+@permission_required(Permission.WRITE)
+def edit_post(id):
+    post = Post.query.get_or_404(id)
+    if g.current_user != post.author and \
+            not g.current_user.can(Permission.ADMIN):
+        return forbidden('Insufficient permissions')
+    post.body = request.json.get('body', post.body)
+    db.session.add(post)
+    db.session.commit()
+    return jsonify(post.to_json())
diff --git a/app/api/users.py b/app/api/users.py
new file mode 100644
index 000000000..31d05dd6c
--- /dev/null
+++ b/app/api/users.py
@@ -0,0 +1,53 @@
+from flask import jsonify, request, current_app, url_for
+from . import api
+from ..models import User, Post
+
+
+@api.route('/users/<int:id>')
+def get_user(id):
+    user = User.query.get_or_404(id)
+    return jsonify(user.to_json())
+
+
+@api.route('/users/<int:id>/posts/')
+def get_user_posts(id):
+    user = User.query.get_or_404(id)
+    page = request.args.get('page', 1, type=int)
+    pagination = user.posts.order_by(Post.timestamp.desc()).paginate(
+        page, per_page=current_app.config['FLASKY_POSTS_PER_PAGE'],
+        error_out=False)
+    posts = pagination.items
+    prev = None
+    if pagination.has_prev:
+        prev = url_for('api.get_user_posts', id=id, page=page-1)
+    next = None
+    if pagination.has_next:
+        next = url_for('api.get_user_posts', id=id, page=page+1)
+    return jsonify({
+        'posts': [post.to_json() for post in posts],
+        'prev': prev,
+        'next': next,
+        'count': pagination.total
+    })
+
+
+@api.route('/users/<int:id>/timeline/')
+def get_user_followed_posts(id):
+    user = User.query.get_or_404(id)
+    page = request.args.get('page', 1, type=int)
+    pagination = user.followed_posts.order_by(Post.timestamp.desc()).paginate(
+        page, per_page=current_app.config['FLASKY_POSTS_PER_PAGE'],
+        error_out=False)
+    posts = pagination.items
+    prev = None
+    if pagination.has_prev:
+        prev = url_for('api.get_user_followed_posts', id=id, page=page-1)
+    next = None
+    if pagination.has_next:
+        next = url_for('api.get_user_followed_posts', id=id, page=page+1)
+    return jsonify({
+        'posts': [post.to_json() for post in posts],
+        'prev': prev,
+        'next': next,
+        'count': pagination.total
+    })
diff --git a/app/exceptions.py b/app/exceptions.py
new file mode 100644
index 000000000..2851fa718
--- /dev/null
+++ b/app/exceptions.py
@@ -0,0 +1,2 @@
+class ValidationError(ValueError):
+    pass
diff --git a/app/main/errors.py b/app/main/errors.py
index 416c15142..60b5f2276 100644
--- a/app/main/errors.py
+++ b/app/main/errors.py
@@ -1,17 +1,32 @@
-from flask import render_template
+from flask import render_template, request, jsonify
 from . import main
 
 
 @main.app_errorhandler(403)
 def forbidden(e):
+    if request.accept_mimetypes.accept_json and \
+            not request.accept_mimetypes.accept_html:
+        response = jsonify({'error': 'forbidden'})
+        response.status_code = 403
+        return response
     return render_template('403.html'), 403
 
 
 @main.app_errorhandler(404)
 def page_not_found(e):
+    if request.accept_mimetypes.accept_json and \
+            not request.accept_mimetypes.accept_html:
+        response = jsonify({'error': 'not found'})
+        response.status_code = 404
+        return response
     return render_template('404.html'), 404
 
 
 @main.app_errorhandler(500)
 def internal_server_error(e):
+    if request.accept_mimetypes.accept_json and \
+            not request.accept_mimetypes.accept_html:
+        response = jsonify({'error': 'internal server error'})
+        response.status_code = 500
+        return response
     return render_template('500.html'), 500
diff --git a/app/main/forms.py b/app/main/forms.py
index d28c7c139..770edb2b4 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -54,3 +54,8 @@ def validate_username(self, field):
 class PostForm(FlaskForm):
     body = PageDownField("What's on your mind?", validators=[DataRequired()])
     submit = SubmitField('Submit')
+
+
+class CommentForm(FlaskForm):
+    body = StringField('Enter your comment', validators=[DataRequired()])
+    submit = SubmitField('Submit')
diff --git a/app/main/views.py b/app/main/views.py
index edbed206b..5b30b245c 100644
--- a/app/main/views.py
+++ b/app/main/views.py
@@ -1,13 +1,37 @@
 from flask import render_template, redirect, url_for, abort, flash, request,\
-    current_app
+    current_app, make_response
 from flask_login import login_required, current_user
+from flask_sqlalchemy import get_debug_queries
 from . import main
-from .forms import EditProfileForm, EditProfileAdminForm, PostForm
+from .forms import EditProfileForm, EditProfileAdminForm, PostForm,\
+    CommentForm
 from .. import db
-from ..models import Permission, Role, User, Post
+from ..models import Permission, Role, User, Post, Comment
 from ..decorators import admin_required, permission_required
 
 
+@main.after_app_request
+def after_request(response):
+    for query in get_debug_queries():
+        if query.duration >= current_app.config['FLASKY_SLOW_DB_QUERY_TIME']:
+            current_app.logger.warning(
+                'Slow query: %s\nParameters: %s\nDuration: %fs\nContext: %s\n'
+                % (query.statement, query.parameters, query.duration,
+                   query.context))
+    return response
+
+
+@main.route('/shutdown')
+def server_shutdown():
+    if not current_app.testing:
+        abort(404)
+    shutdown = request.environ.get('werkzeug.server.shutdown')
+    if not shutdown:
+        abort(500)
+    shutdown()
+    return 'Shutting down...'
+
+
 @main.route('/', methods=['GET', 'POST'])
 def index():
     form = PostForm()
@@ -18,12 +42,19 @@ def index():
         db.session.commit()
         return redirect(url_for('.index'))
     page = request.args.get('page', 1, type=int)
-    pagination = Post.query.order_by(Post.timestamp.desc()).paginate(
+    show_followed = False
+    if current_user.is_authenticated:
+        show_followed = bool(request.cookies.get('show_followed', ''))
+    if show_followed:
+        query = current_user.followed_posts
+    else:
+        query = Post.query
+    pagination = query.order_by(Post.timestamp.desc()).paginate(
         page, per_page=current_app.config['FLASKY_POSTS_PER_PAGE'],
         error_out=False)
     posts = pagination.items
     return render_template('index.html', form=form, posts=posts,
-                           pagination=pagination)
+                           show_followed=show_followed, pagination=pagination)
 
 
 @main.route('/user/<username>')
@@ -84,10 +115,28 @@ def edit_profile_admin(id):
     return render_template('edit_profile.html', form=form, user=user)
 
 
-@main.route('/post/<int:id>')
+@main.route('/post/<int:id>', methods=['GET', 'POST'])
 def post(id):
     post = Post.query.get_or_404(id)
-    return render_template('post.html', posts=[post])
+    form = CommentForm()
+    if form.validate_on_submit():
+        comment = Comment(body=form.body.data,
+                          post=post,
+                          author=current_user._get_current_object())
+        db.session.add(comment)
+        db.session.commit()
+        flash('Your comment has been published.')
+        return redirect(url_for('.post', id=post.id, page=-1))
+    page = request.args.get('page', 1, type=int)
+    if page == -1:
+        page = (post.comments.count() - 1) // \
+            current_app.config['FLASKY_COMMENTS_PER_PAGE'] + 1
+    pagination = post.comments.order_by(Comment.timestamp.asc()).paginate(
+        page, per_page=current_app.config['FLASKY_COMMENTS_PER_PAGE'],
+        error_out=False)
+    comments = pagination.items
+    return render_template('post.html', posts=[post], form=form,
+                           comments=comments, pagination=pagination)
 
 
 @main.route('/edit/<int:id>', methods=['GET', 'POST'])
@@ -174,3 +223,56 @@ def followed_by(username):
     return render_template('followers.html', user=user, title="Followed by",
                            endpoint='.followed_by', pagination=pagination,
                            follows=follows)
+
+
+@main.route('/all')
+@login_required
+def show_all():
+    resp = make_response(redirect(url_for('.index')))
+    resp.set_cookie('show_followed', '', max_age=30*24*60*60)
+    return resp
+
+
+@main.route('/followed')
+@login_required
+def show_followed():
+    resp = make_response(redirect(url_for('.index')))
+    resp.set_cookie('show_followed', '1', max_age=30*24*60*60)
+    return resp
+
+
+@main.route('/moderate')
+@login_required
+@permission_required(Permission.MODERATE)
+def moderate():
+    page = request.args.get('page', 1, type=int)
+    pagination = Comment.query.order_by(Comment.timestamp.desc()).paginate(
+        page, per_page=current_app.config['FLASKY_COMMENTS_PER_PAGE'],
+        error_out=False)
+    comments = pagination.items
+    return render_template('moderate.html', comments=comments,
+                           pagination=pagination, page=page)
+
+
+@main.route('/moderate/enable/<int:id>')
+@login_required
+@permission_required(Permission.MODERATE)
+def moderate_enable(id):
+    comment = Comment.query.get_or_404(id)
+    comment.disabled = False
+    db.session.add(comment)
+    db.session.commit()
+    return redirect(url_for('.moderate',
+                            page=request.args.get('page', 1, type=int)))
+
+
+@main.route('/moderate/disable/<int:id>')
+@login_required
+@permission_required(Permission.MODERATE)
+def moderate_disable(id):
+    comment = Comment.query.get_or_404(id)
+    comment.disabled = True
+    db.session.add(comment)
+    db.session.commit()
+    return redirect(url_for('.moderate',
+                            page=request.args.get('page', 1, type=int)))
diff --git a/app/models.py b/app/models.py
index e7ddb5e24..8832f76cc 100644
--- a/app/models.py
+++ b/app/models.py
@@ -4,8 +4,9 @@
 from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
 from markdown import markdown
 import bleach
-from flask import current_app, request
+from flask import current_app, request, url_for
 from flask_login import UserMixin, AnonymousUserMixin
+from app.exceptions import ValidationError
 from . import db, login_manager
 
 
@@ -104,6 +105,15 @@ class User(UserMixin, db.Model):
                                 backref=db.backref('followed', lazy='joined'),
                                 lazy='dynamic',
                                 cascade='all, delete-orphan')
+    comments = db.relationship('Comment', backref='author', lazy='dynamic')
+
+    @staticmethod
+    def add_self_follows():
+        for user in User.query.all():
+            if not user.is_following(user):
+                user.follow(user)
+                db.session.add(user)
+                db.session.commit()
 
     def __init__(self, **kwargs):
         super(User, self).__init__(**kwargs)
@@ -114,6 +124,7 @@ def __init__(self, **kwargs):
                 self.role = Role.query.filter_by(default=True).first()
         if self.email is not None and self.avatar_hash is None:
             self.avatar_hash = self.gravatar_hash()
+        self.follow(self)
 
     @property
     def password(self):
@@ -229,6 +240,33 @@ def followed_posts(self):
         return Post.query.join(Follow, Follow.followed_id == Post.author_id)\
             .filter(Follow.follower_id == self.id)
 
+    def to_json(self):
+        json_user = {
+            'url': url_for('api.get_user', id=self.id),
+            'username': self.username,
+            'member_since': self.member_since,
+            'last_seen': self.last_seen,
+            'posts_url': url_for('api.get_user_posts', id=self.id),
+            'followed_posts_url': url_for('api.get_user_followed_posts',
+                                          id=self.id),
+            'post_count': self.posts.count()
+        }
+        return json_user
+
+    def generate_auth_token(self, expiration):
+        s = Serializer(current_app.config['SECRET_KEY'],
+                       expires_in=expiration)
+        return s.dumps({'id': self.id}).decode('utf-8')
+
+    @staticmethod
+    def verify_auth_token(token):
+        s = Serializer(current_app.config['SECRET_KEY'])
+        try:
+            data = s.loads(token)
+        except:
+            return None
+        return User.query.get(data['id'])
+
     def __repr__(self):
         return '<User %r>' % self.username
 
@@ -255,6 +293,7 @@ class Post(db.Model):
     body_html = db.Column(db.Text)
     timestamp = db.Column(db.DateTime, index=True, default=datetime.utcnow)
     author_id = db.Column(db.Integer, db.ForeignKey('users.id'))
+    comments = db.relationship('Comment', backref='post', lazy='dynamic')
 
     @staticmethod
     def on_changed_body(target, value, oldvalue, initiator):
@@ -265,4 +304,64 @@ def on_changed_body(target, value, oldvalue, initiator):
             markdown(value, output_format='html'),
             tags=allowed_tags, strip=True))
 
+    def to_json(self):
+        json_post = {
+            'url': url_for('api.get_post', id=self.id),
+            'body': self.body,
+            'body_html': self.body_html,
+            'timestamp': self.timestamp,
+            'author_url': url_for('api.get_user', id=self.author_id),
+            'comments_url': url_for('api.get_post_comments', id=self.id),
+            'comment_count': self.comments.count()
+        }
+        return json_post
+
+    @staticmethod
+    def from_json(json_post):
+        body = json_post.get('body')
+        if body is None or body == '':
+            raise ValidationError('post does not have a body')
+        return Post(body=body)
+
+
 db.event.listen(Post.body, 'set', Post.on_changed_body)
+
+
+class Comment(db.Model):
+    __tablename__ = 'comments'
+    id = db.Column(db.Integer, primary_key=True)
+    body = db.Column(db.Text)
+    body_html = db.Column(db.Text)
+    timestamp = db.Column(db.DateTime, index=True, default=datetime.utcnow)
+    disabled = db.Column(db.Boolean)
+    author_id = db.Column(db.Integer, db.ForeignKey('users.id'))
+    post_id = db.Column(db.Integer, db.ForeignKey('posts.id'))
+
+    @staticmethod
+    def on_changed_body(target, value, oldvalue, initiator):
+        allowed_tags = ['a', 'abbr', 'acronym', 'b', 'code', 'em', 'i',
+                        'strong']
+        target.body_html = bleach.linkify(bleach.clean(
+            markdown(value, output_format='html'),
+            tags=allowed_tags, strip=True))
+
+    def to_json(self):
+        json_comment = {
+            'url': url_for('api.get_comment', id=self.id),
+            'post_url': url_for('api.get_post', id=self.post_id),
+            'body': self.body,
+            'body_html': self.body_html,
+            'timestamp': self.timestamp,
+            'author_url': url_for('api.get_user', id=self.author_id),
+        }
+        return json_comment
+
+    @staticmethod
+    def from_json(json_comment):
+        body = json_comment.get('body')
+        if body is None or body == '':
+            raise ValidationError('comment does not have a body')
+        return Comment(body=body)
+
+
+db.event.listen(Comment.body, 'set', Comment.on_changed_body)
diff --git a/app/static/styles.css b/app/static/styles.css
index 2b305a424..0dae2c34f 100644
--- a/app/static/styles.css
+++ b/app/static/styles.css
@@ -5,12 +5,19 @@
     min-height: 260px;
     margin-left: 280px;
 }
+div.post-tabs {
+    margin-top: 16px;
+}
 ul.posts {
     list-style-type: none;
     padding: 0px;
     margin: 16px 0px 0px 0px;
     border-top: 1px solid #e0e0e0;
 }
+div.post-tabs ul.posts {
+    margin: 0px;
+    border-top: none;
+}
 ul.posts li.post {
     padding: 8px;
     border-bottom: 1px solid #e0e0e0;
@@ -34,6 +41,38 @@ div.post-content {
 div.post-footer {
     text-align: right;
 }
+ul.comments {
+    list-style-type: none;
+    padding: 0px;
+    margin: 16px 0px 0px 0px;
+}
+ul.comments li.comment {
+    margin-left: 32px;
+    padding: 8px;
+    border-bottom: 1px solid #e0e0e0;
+}
+ul.comments li.comment:nth-child(1) {
+    border-top: 1px solid #e0e0e0;
+}
+ul.comments li.comment:hover {
+    background-color: #f0f0f0;
+}
+div.comment-date {
+    float: right;
+}
+div.comment-author {
+    font-weight: bold;
+}
+div.comment-thumbnail {
+    position: absolute;
+}
+div.comment-content {
+    margin-left: 48px;
+    min-height: 48px;
+}
+div.comment-form {
+    margin: 16px 0px 16px 32px;
+}
 div.pagination {
     width: 100%;
     text-align: right;
diff --git a/app/templates/_comments.html b/app/templates/_comments.html
new file mode 100644
index 000000000..aa278f724
--- /dev/null
+++ b/app/templates/_comments.html
@@ -0,0 +1,35 @@
+<ul class="comments">
+    {% for comment in comments %}
+    <li class="comment">
+        <div class="comment-thumbnail">
+            <a href="{{ url_for('.user', username=comment.author.username) }}">
+                <img class="img-rounded profile-thumbnail" src="{{ comment.author.gravatar(size=40) }}">
+            </a>
+        </div>
+        <div class="comment-content">
+            <div class="comment-date">{{ moment(comment.timestamp).fromNow() }}</div>
+            <div class="comment-author"><a href="{{ url_for('.user', username=comment.author.username) }}">{{ comment.author.username }}</a></div>
+            <div class="comment-body">
+                {% if comment.disabled %}
+                <p><i>This comment has been disabled by a moderator.</i></p>
+                {% endif %}
+                {% if moderate or not comment.disabled %}
+                    {% if comment.body_html %}
+                        {{ comment.body_html | safe }}
+                    {% else %}
+                        {{ comment.body }}
+                    {% endif %}
+                {% endif %}
+            </div>
+            {% if moderate %}
+                <br>
+                {% if comment.disabled %}
+                <a class="btn btn-default btn-xs" href="{{ url_for('.moderate_enable', id=comment.id, page=page) }}">Enable</a>
+                {% else %}
+                <a class="btn btn-danger btn-xs" href="{{ url_for('.moderate_disable', id=comment.id, page=page) }}">Disable</a>
+                {% endif %}
+            {% endif %}
+        </div>
+    </li>
+    {% endfor %}
+</ul>
diff --git a/app/templates/_macros.html b/app/templates/_macros.html
index b5d55a394..a4789c896 100644
--- a/app/templates/_macros.html
+++ b/app/templates/_macros.html
@@ -1,7 +1,7 @@
-{% macro pagination_widget(pagination, endpoint) %}
+{% macro pagination_widget(pagination, endpoint, fragment='') %}
 <ul class="pagination">
     <li{% if not pagination.has_prev %} class="disabled"{% endif %}>
-        <a href="{% if pagination.has_prev %}{{ url_for(endpoint, page=pagination.prev_num, **kwargs) }}{% else %}#{% endif %}">
+        <a href="{% if pagination.has_prev %}{{ url_for(endpoint, page=pagination.prev_num, **kwargs) }}{{ fragment }}{% else %}#{% endif %}">
             &laquo;
         </a>
     </li>
@@ -9,11 +9,11 @@
         {% if p %}
             {% if p == pagination.page %}
             <li class="active">
-                <a href="{{ url_for(endpoint, page = p, **kwargs) }}">{{ p }}</a>
+                <a href="{{ url_for(endpoint, page = p, **kwargs) }}{{ fragment }}">{{ p }}</a>
             </li>
             {% else %}
             <li>
-                <a href="{{ url_for(endpoint, page = p, **kwargs) }}">{{ p }}</a>
+                <a href="{{ url_for(endpoint, page = p, **kwargs) }}{{ fragment }}">{{ p }}</a>
             </li>
             {% endif %}
         {% else %}
@@ -21,7 +21,7 @@
         {% endif %}
     {% endfor %}
     <li{% if not pagination.has_next %} class="disabled"{% endif %}>
-        <a href="{% if pagination.has_next %}{{ url_for(endpoint, page=pagination.next_num, **kwargs) }}{% else %}#{% endif %}">
+        <a href="{% if pagination.has_next %}{{ url_for(endpoint, page=pagination.next_num, **kwargs) }}{{ fragment }}{% else %}#{% endif %}">
             &raquo;
         </a>
     </li>
diff --git a/app/templates/_posts.html b/app/templates/_posts.html
index 596a8b4e6..399b46ffd 100644
--- a/app/templates/_posts.html
+++ b/app/templates/_posts.html
@@ -29,6 +29,9 @@
                 <a href="{{ url_for('.post', id=post.id) }}">
                     <span class="label label-default">Permalink</span>
                 </a>
+                <a href="{{ url_for('.post', id=post.id) }}#comments">
+                    <span class="label label-primary">{{ post.comments.count() }} Comments</span>
+                </a>
             </div>
         </div>
     </li>
diff --git a/app/templates/base.html b/app/templates/base.html
index edd5640f2..fb0139cb1 100644
--- a/app/templates/base.html
+++ b/app/templates/base.html
@@ -29,6 +29,9 @@
                 {% endif %}
             </ul>
             <ul class="nav navbar-nav navbar-right">
+                {% if current_user.can(Permission.MODERATE) %}
+                <li><a href="{{ url_for('main.moderate') }}">Moderate Comments</a></li>
+                {% endif %}
                 {% if current_user.is_authenticated %}
                 <li class="dropdown">
                     <a href="#" class="dropdown-toggle" data-toggle="dropdown">
diff --git a/app/templates/followers.html b/app/templates/followers.html
index c5dbbb12c..6062868f7 100644
--- a/app/templates/followers.html
+++ b/app/templates/followers.html
@@ -10,6 +10,7 @@ <h1>{{ title }} {{ user.username }}</h1>
 <table class="table table-hover followers">
     <thead><tr><th>User</th><th>Since</th></tr></thead>
     {% for follow in follows %}
+    {% if follow.user != user %}
     <tr>
         <td>
             <a href="{{ url_for('.user', username = follow.user.username) }}">
@@ -19,6 +20,7 @@ <h1>{{ title }} {{ user.username }}</h1>
         </td>
         <td>{{ moment(follow.timestamp).format('L') }}</td>
     </tr>
+    {% endif %}
     {% endfor %}
 </table>
 <div class="pagination">
diff --git a/app/templates/index.html b/app/templates/index.html
index c1334588e..32c76e0f7 100644
--- a/app/templates/index.html
+++ b/app/templates/index.html
@@ -13,7 +13,15 @@ <h1>Hello, {% if current_user.is_authenticated %}{{ current_user.username }}{% e
     {{ wtf.quick_form(form) }}
     {% endif %}
 </div>
-{% include '_posts.html' %}
+<div class="post-tabs">
+    <ul class="nav nav-tabs">
+        <li{% if not show_followed %} class="active"{% endif %}><a href="{{ url_for('.show_all') }}">All</a></li>
+        {% if current_user.is_authenticated %}
+        <li{% if show_followed %} class="active"{% endif %}><a href="{{ url_for('.show_followed') }}">Followers</a></li>
+        {% endif %}
+    </ul>
+    {% include '_posts.html' %}
+</div>
 {% if pagination %}
 <div class="pagination">
     {{ macros.pagination_widget(pagination, '.index') }}
diff --git a/app/templates/moderate.html b/app/templates/moderate.html
new file mode 100644
index 000000000..3f04f9ac7
--- /dev/null
+++ b/app/templates/moderate.html
@@ -0,0 +1,17 @@
+{% extends "base.html" %}
+{% import "_macros.html" as macros %}
+
+{% block title %}Flasky - Comment Moderation{% endblock %}
+
+{% block page_content %}
+<div class="page-header">
+    <h1>Comment Moderation</h1>
+</div>
+{% set moderate = True %}
+{% include '_comments.html' %}
+{% if pagination %}
+<div class="pagination">
+    {{ macros.pagination_widget(pagination, '.moderate') }}
+</div>
+{% endif %}
+{% endblock %}
diff --git a/app/templates/post.html b/app/templates/post.html
index adbe2f30b..c52c053c3 100644
--- a/app/templates/post.html
+++ b/app/templates/post.html
@@ -1,8 +1,21 @@
 {% extends "base.html" %}
+{% import "bootstrap/wtf.html" as wtf %}
 {% import "_macros.html" as macros %}
 
 {% block title %}Flasky - Post{% endblock %}
 
 {% block page_content %}
 {% include '_posts.html' %}
+<h4 id="comments">Comments</h4>
+{% if current_user.can(Permission.COMMENT) %}
+<div class="comment-form">
+    {{ wtf.quick_form(form) }}
+</div>
+{% endif %}
+{% include '_comments.html' %}
+{% if pagination %}
+<div class="pagination">
+    {{ macros.pagination_widget(pagination, '.post', fragment='#comments', id=posts[0].id) }}
+</div>
+{% endif %}
 {% endblock %}
diff --git a/app/templates/user.html b/app/templates/user.html
index a71eb64b6..80e865e4b 100644
--- a/app/templates/user.html
+++ b/app/templates/user.html
@@ -21,7 +21,7 @@ <h1>{{ user.username }}</h1>
         {% endif %}
         {% if user.about_me %}<p>{{ user.about_me }}</p>{% endif %}
         <p>Member since {{ moment(user.member_since).format('L') }}. Last seen {{ moment(user.last_seen).fromNow() }}.</p>
-        <p>{{ user.posts.count() }} blog posts.</p>
+        <p>{{ user.posts.count() }} blog posts. {{ user.comments.count() }} comments.</p>
         <p>
             {% if current_user.can(Permission.FOLLOW) and user != current_user %}
                 {% if not current_user.is_following(user) %}
@@ -30,8 +30,8 @@ <h1>{{ user.username }}</h1>
                 <a href="{{ url_for('.unfollow', username=user.username) }}" class="btn btn-default">Unfollow</a>
                 {% endif %}
             {% endif %}
-            <a href="{{ url_for('.followers', username=user.username) }}">Followers: <span class="badge">{{ user.followers.count() }}</span></a>
-            <a href="{{ url_for('.followed_by', username=user.username) }}">Following: <span class="badge">{{ user.followed.count() }}</span></a>
+            <a href="{{ url_for('.followers', username=user.username) }}">Followers: <span class="badge">{{ user.followers.count() - 1 }}</span></a>
+            <a href="{{ url_for('.followed_by', username=user.username) }}">Following: <span class="badge">{{ user.followed.count() - 1 }}</span></a>
             {% if current_user.is_authenticated and user != current_user and user.is_following(current_user) %}
             | <span class="label label-default">Follows you</span>
             {% endif %}
diff --git a/boot.sh b/boot.sh
new file mode 100755
index 000000000..a6ca9f900
--- /dev/null
+++ b/boot.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+source venv/bin/activate
+
+while true; do
+    flask deploy
+    if [[ "$?" == "0" ]]; then
+        break
+    fi
+    echo Deploy command failed, retrying in 5 secs...
+    sleep 5
+done
+
+exec gunicorn -b :5000 --access-logfile - --error-logfile - flasky:app
diff --git a/config.py b/config.py
index 1ac398f5f..47cab7331 100644
--- a/config.py
+++ b/config.py
@@ -13,9 +13,13 @@ class Config:
     FLASKY_MAIL_SUBJECT_PREFIX = '[Flasky]'
     FLASKY_MAIL_SENDER = 'Flasky Admin <flasky@example.com>'
     FLASKY_ADMIN = os.environ.get('FLASKY_ADMIN')
+    SSL_REDIRECT = False
     SQLALCHEMY_TRACK_MODIFICATIONS = False
+    SQLALCHEMY_RECORD_QUERIES = True
     FLASKY_POSTS_PER_PAGE = 20
     FLASKY_FOLLOWERS_PER_PAGE = 50
+    FLASKY_COMMENTS_PER_PAGE = 30
+    FLASKY_SLOW_DB_QUERY_TIME = 0.5
 
     @staticmethod
     def init_app(app):
@@ -32,17 +36,89 @@ class TestingConfig(Config):
     TESTING = True
     SQLALCHEMY_DATABASE_URI = os.environ.get('TEST_DATABASE_URL') or \
         'sqlite://'
+    WTF_CSRF_ENABLED = False
 
 
 class ProductionConfig(Config):
     SQLALCHEMY_DATABASE_URI = os.environ.get('DATABASE_URL') or \
         'sqlite:///' + os.path.join(basedir, 'data.sqlite')
 
+    @classmethod
+    def init_app(cls, app):
+        Config.init_app(app)
+
+        # email errors to the administrators
+        import logging
+        from logging.handlers import SMTPHandler
+        credentials = None
+        secure = None
+        if getattr(cls, 'MAIL_USERNAME', None) is not None:
+            credentials = (cls.MAIL_USERNAME, cls.MAIL_PASSWORD)
+            if getattr(cls, 'MAIL_USE_TLS', None):
+                secure = ()
+        mail_handler = SMTPHandler(
+            mailhost=(cls.MAIL_SERVER, cls.MAIL_PORT),
+            fromaddr=cls.FLASKY_MAIL_SENDER,
+            toaddrs=[cls.FLASKY_ADMIN],
+            subject=cls.FLASKY_MAIL_SUBJECT_PREFIX + ' Application Error',
+            credentials=credentials,
+            secure=secure)
+        mail_handler.setLevel(logging.ERROR)
+        app.logger.addHandler(mail_handler)
+
+
+class HerokuConfig(ProductionConfig):
+    SSL_REDIRECT = True if os.environ.get('DYNO') else False
+
+    @classmethod
+    def init_app(cls, app):
+        ProductionConfig.init_app(app)
+
+        # handle reverse proxy server headers
+        from werkzeug.contrib.fixers import ProxyFix
+        app.wsgi_app = ProxyFix(app.wsgi_app)
+
+        # log to stderr
+        import logging
+        from logging import StreamHandler
+        file_handler = StreamHandler()
+        file_handler.setLevel(logging.INFO)
+        app.logger.addHandler(file_handler)
+
+
+class DockerConfig(ProductionConfig):
+    @classmethod
+    def init_app(cls, app):
+        ProductionConfig.init_app(app)
+
+        # log to stderr
+        import logging
+        from logging import StreamHandler
+        file_handler = StreamHandler()
+        file_handler.setLevel(logging.INFO)
+        app.logger.addHandler(file_handler)
+
+
+class UnixConfig(ProductionConfig):
+    @classmethod
+    def init_app(cls, app):
+        ProductionConfig.init_app(app)
+
+        # log to syslog
+        import logging
+        from logging.handlers import SysLogHandler
+        syslog_handler = SysLogHandler()
+        syslog_handler.setLevel(logging.INFO)
+        app.logger.addHandler(syslog_handler)
+
 
 config = {
     'development': DevelopmentConfig,
     'testing': TestingConfig,
     'production': ProductionConfig,
+    'heroku': HerokuConfig,
+    'docker': DockerConfig,
+    'unix': UnixConfig,
 
     'default': DevelopmentConfig
 }
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 000000000..858fa3eda
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,14 @@
+version: '3'
+services:
+  flasky:
+    build: .
+    ports:
+      - "8000:5000"
+    env_file: .env
+    restart: always
+    links:
+      - mysql:dbserver
+  mysql:
+    image: "mysql/mysql-server:5.7"
+    env_file: .env-mysql
+    restart: always
diff --git a/flasky.py b/flasky.py
index f2c7411e7..a2ec114ff 100644
--- a/flasky.py
+++ b/flasky.py
@@ -1,8 +1,21 @@
 import os
+from dotenv import load_dotenv
+
+dotenv_path = os.path.join(os.path.dirname(__file__), '.env')
+if os.path.exists(dotenv_path):
+    load_dotenv(dotenv_path)
+
+COV = None
+if os.environ.get('FLASK_COVERAGE'):
+    import coverage
+    COV = coverage.coverage(branch=True, include='app/*')
+    COV.start()
+
+import sys
 import click
-from flask_migrate import Migrate
+from flask_migrate import Migrate, upgrade
 from app import create_app, db
-from app.models import User, Follow, Role, Permission, Post
+from app.models import User, Follow, Role, Permission, Post, Comment
 
 app = create_app(os.getenv('FLASK_CONFIG') or 'default')
 migrate = Migrate(app, db)
@@ -11,16 +24,59 @@
 @app.shell_context_processor
 def make_shell_context():
     return dict(db=db, User=User, Follow=Follow, Role=Role,
-                Permission=Permission, Post=Post)
+                Permission=Permission, Post=Post, Comment=Comment)
 
 
 @app.cli.command()
+@click.option('--coverage/--no-coverage', default=False,
+              help='Run tests under code coverage.')
 @click.argument('test_names', nargs=-1)
-def test(test_names):
+def test(coverage, test_names):
     """Run the unit tests."""
+    if coverage and not os.environ.get('FLASK_COVERAGE'):
+        import subprocess
+        os.environ['FLASK_COVERAGE'] = '1'
+        sys.exit(subprocess.call(sys.argv))
+
     import unittest
     if test_names:
         tests = unittest.TestLoader().loadTestsFromNames(test_names)
     else:
         tests = unittest.TestLoader().discover('tests')
     unittest.TextTestRunner(verbosity=2).run(tests)
+    if COV:
+        COV.stop()
+        COV.save()
+        print('Coverage Summary:')
+        COV.report()
+        basedir = os.path.abspath(os.path.dirname(__file__))
+        covdir = os.path.join(basedir, 'tmp/coverage')
+        COV.html_report(directory=covdir)
+        print('HTML version: file://%s/index.html' % covdir)
+        COV.erase()
+
+
+@app.cli.command()
+@click.option('--length', default=25,
+              help='Number of functions to include in the profiler report.')
+@click.option('--profile-dir', default=None,
+              help='Directory where profiler data files are saved.')
+def profile(length, profile_dir):
+    """Start the application under the code profiler."""
+    from werkzeug.contrib.profiler import ProfilerMiddleware
+    app.wsgi_app = ProfilerMiddleware(app.wsgi_app, restrictions=[length],
+                                      profile_dir=profile_dir)
+    app.run()
+
+
+@app.cli.command()
+def deploy():
+    """Run deployment tasks."""
+    # migrate database to latest revision
+    upgrade()
+
+    # create or update user roles
+    Role.insert_roles()
+
+    # ensure all users are following themselves
+    User.add_self_follows()
diff --git a/migrations/versions/51f5ccfba190_comments.py b/migrations/versions/51f5ccfba190_comments.py
new file mode 100644
index 000000000..a4b8586b4
--- /dev/null
+++ b/migrations/versions/51f5ccfba190_comments.py
@@ -0,0 +1,39 @@
+"""comments
+
+Revision ID: 51f5ccfba190
+Revises: 2356a38169ea
+Create Date: 2014-01-01 12:08:43.287523
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '51f5ccfba190'
+down_revision = '2356a38169ea'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('comments',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('body', sa.Text(), nullable=True),
+    sa.Column('body_html', sa.Text(), nullable=True),
+    sa.Column('timestamp', sa.DateTime(), nullable=True),
+    sa.Column('disabled', sa.Boolean(), nullable=True),
+    sa.Column('author_id', sa.Integer(), nullable=True),
+    sa.Column('post_id', sa.Integer(), nullable=True),
+    sa.ForeignKeyConstraint(['author_id'], ['users.id'], ),
+    sa.ForeignKeyConstraint(['post_id'], ['posts.id'], ),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('ix_comments_timestamp', 'comments', ['timestamp'], unique=False)
+    ### end Alembic commands ###
+
+
+def downgrade():
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index('ix_comments_timestamp', 'comments')
+    op.drop_table('comments')
+    ### end Alembic commands ###
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 000000000..e8858f6cb
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,3 @@
+# this requirements file is used by Heroku
+# requirements for other configurations are located in the requirements subdirectory
+-r requirements/heroku.txt
diff --git a/requirements/common.txt b/requirements/common.txt
index 5c4c4631d..b880158ef 100644
--- a/requirements/common.txt
+++ b/requirements/common.txt
@@ -1,10 +1,11 @@
 alembic==0.9.3
-bleach==2.0.0
+bleach==3.1.4
 blinker==1.4
 click==6.7
 dominate==2.3.1
 Flask==0.12.2
 Flask-Bootstrap==3.3.7.1
+Flask-HTTPAuth==3.2.3
 Flask-Login==0.4.0
 Flask-Mail==0.9.1
 Flask-Migrate==2.0.4
@@ -19,6 +20,7 @@ Mako==1.0.7
 Markdown==2.6.8
 MarkupSafe==1.1.1
 python-dateutil==2.6.1
+python-dotenv==0.6.5
 python-editor==1.0.3
 six==1.10.0
 SQLAlchemy==1.1.11
diff --git a/requirements/dev.txt b/requirements/dev.txt
index 7044abc86..f696fe23c 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -1,2 +1,11 @@
 -r common.txt
+certifi==2017.7.27.1
+chardet==3.0.4
+coverage==4.4.1
 faker==0.7.18
+httpie==0.9.9
+idna==2.5
+Pygments==2.2.0
+requests==2.18.2
+selenium==3.4.3
+urllib3==1.22
diff --git a/requirements/docker.txt b/requirements/docker.txt
new file mode 100644
index 000000000..0aecafcad
--- /dev/null
+++ b/requirements/docker.txt
@@ -0,0 +1,3 @@
+-r common.txt
+gunicorn==19.7.1
+pymysql==0.7.11
diff --git a/requirements/heroku.txt b/requirements/heroku.txt
new file mode 100644
index 000000000..ada4e3a35
--- /dev/null
+++ b/requirements/heroku.txt
@@ -0,0 +1,4 @@
+-r prod.txt
+Flask-SSLify==0.1.5
+gunicorn==19.7.1
+psycopg2==2.7.3
diff --git a/tests/test_api.py b/tests/test_api.py
new file mode 100644
index 000000000..666d3c707
--- /dev/null
+++ b/tests/test_api.py
@@ -0,0 +1,264 @@
+import unittest
+import json
+import re
+from base64 import b64encode
+from app import create_app, db
+from app.models import User, Role, Post, Comment
+
+
+class APITestCase(unittest.TestCase):
+    def setUp(self):
+        self.app = create_app('testing')
+        self.app_context = self.app.app_context()
+        self.app_context.push()
+        db.create_all()
+        Role.insert_roles()
+        self.client = self.app.test_client()
+
+    def tearDown(self):
+        db.session.remove()
+        db.drop_all()
+        self.app_context.pop()
+
+    def get_api_headers(self, username, password):
+        return {
+            'Authorization': 'Basic ' + b64encode(
+                (username + ':' + password).encode('utf-8')).decode('utf-8'),
+            'Accept': 'application/json',
+            'Content-Type': 'application/json'
+        }
+
+    def test_404(self):
+        response = self.client.get(
+            '/wrong/url',
+            headers=self.get_api_headers('email', 'password'))
+        self.assertEqual(response.status_code, 404)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertEqual(json_response['error'], 'not found')
+
+    def test_no_auth(self):
+        response = self.client.get('/api/v1/posts/',
+                                   content_type='application/json')
+        self.assertEqual(response.status_code, 401)
+
+    def test_bad_auth(self):
+        # add a user
+        r = Role.query.filter_by(name='User').first()
+        self.assertIsNotNone(r)
+        u = User(email='john@example.com', password='cat', confirmed=True,
+                 role=r)
+        db.session.add(u)
+        db.session.commit()
+
+        # authenticate with bad password
+        response = self.client.get(
+            '/api/v1/posts/',
+            headers=self.get_api_headers('john@example.com', 'dog'))
+        self.assertEqual(response.status_code, 401)
+
+    def test_token_auth(self):
+        # add a user
+        r = Role.query.filter_by(name='User').first()
+        self.assertIsNotNone(r)
+        u = User(email='john@example.com', password='cat', confirmed=True,
+                 role=r)
+        db.session.add(u)
+        db.session.commit()
+
+        # issue a request with a bad token
+        response = self.client.get(
+            '/api/v1/posts/',
+            headers=self.get_api_headers('bad-token', ''))
+        self.assertEqual(response.status_code, 401)
+
+        # get a token
+        response = self.client.post(
+            '/api/v1/tokens/',
+            headers=self.get_api_headers('john@example.com', 'cat'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertIsNotNone(json_response.get('token'))
+        token = json_response['token']
+
+        # issue a request with the token
+        response = self.client.get(
+            '/api/v1/posts/',
+            headers=self.get_api_headers(token, ''))
+        self.assertEqual(response.status_code, 200)
+
+    def test_anonymous(self):
+        response = self.client.get(
+            '/api/v1/posts/',
+            headers=self.get_api_headers('', ''))
+        self.assertEqual(response.status_code, 401)
+
+    def test_unconfirmed_account(self):
+        # add an unconfirmed user
+        r = Role.query.filter_by(name='User').first()
+        self.assertIsNotNone(r)
+        u = User(email='john@example.com', password='cat', confirmed=False,
+                 role=r)
+        db.session.add(u)
+        db.session.commit()
+
+        # get list of posts with the unconfirmed account
+        response = self.client.get(
+            '/api/v1/posts/',
+            headers=self.get_api_headers('john@example.com', 'cat'))
+        self.assertEqual(response.status_code, 403)
+
+    def test_posts(self):
+        # add a user
+        r = Role.query.filter_by(name='User').first()
+        self.assertIsNotNone(r)
+        u = User(email='john@example.com', password='cat', confirmed=True,
+                 role=r)
+        db.session.add(u)
+        db.session.commit()
+
+        # write an empty post
+        response = self.client.post(
+            '/api/v1/posts/',
+            headers=self.get_api_headers('john@example.com', 'cat'),
+            data=json.dumps({'body': ''}))
+        self.assertEqual(response.status_code, 400)
+
+        # write a post
+        response = self.client.post(
+            '/api/v1/posts/',
+            headers=self.get_api_headers('john@example.com', 'cat'),
+            data=json.dumps({'body': 'body of the *blog* post'}))
+        self.assertEqual(response.status_code, 201)
+        url = response.headers.get('Location')
+        self.assertIsNotNone(url)
+
+        # get the new post
+        response = self.client.get(
+            url,
+            headers=self.get_api_headers('john@example.com', 'cat'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertEqual('http://localhost' + json_response['url'], url)
+        self.assertEqual(json_response['body'], 'body of the *blog* post')
+        self.assertEqual(json_response['body_html'],
+                        '<p>body of the <em>blog</em> post</p>')
+        json_post = json_response
+
+        # get the post from the user
+        response = self.client.get(
+            '/api/v1/users/{}/posts/'.format(u.id),
+            headers=self.get_api_headers('john@example.com', 'cat'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertIsNotNone(json_response.get('posts'))
+        self.assertEqual(json_response.get('count', 0), 1)
+        self.assertEqual(json_response['posts'][0], json_post)
+
+        # get the post from the user as a follower
+        response = self.client.get(
+            '/api/v1/users/{}/timeline/'.format(u.id),
+            headers=self.get_api_headers('john@example.com', 'cat'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertIsNotNone(json_response.get('posts'))
+        self.assertEqual(json_response.get('count', 0), 1)
+        self.assertEqual(json_response['posts'][0], json_post)
+
+        # edit post
+        response = self.client.put(
+            url,
+            headers=self.get_api_headers('john@example.com', 'cat'),
+            data=json.dumps({'body': 'updated body'}))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertEqual('http://localhost' + json_response['url'], url)
+        self.assertEqual(json_response['body'], 'updated body')
+        self.assertEqual(json_response['body_html'], '<p>updated body</p>')
+
+    def test_users(self):
+        # add two users
+        r = Role.query.filter_by(name='User').first()
+        self.assertIsNotNone(r)
+        u1 = User(email='john@example.com', username='john',
+                  password='cat', confirmed=True, role=r)
+        u2 = User(email='susan@example.com', username='susan',
+                  password='dog', confirmed=True, role=r)
+        db.session.add_all([u1, u2])
+        db.session.commit()
+
+        # get users
+        response = self.client.get(
+            '/api/v1/users/{}'.format(u1.id),
+            headers=self.get_api_headers('susan@example.com', 'dog'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertEqual(json_response['username'], 'john')
+        response = self.client.get(
+            '/api/v1/users/{}'.format(u2.id),
+            headers=self.get_api_headers('susan@example.com', 'dog'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertEqual(json_response['username'], 'susan')
+
+    def test_comments(self):
+        # add two users
+        r = Role.query.filter_by(name='User').first()
+        self.assertIsNotNone(r)
+        u1 = User(email='john@example.com', username='john',
+                  password='cat', confirmed=True, role=r)
+        u2 = User(email='susan@example.com', username='susan',
+                  password='dog', confirmed=True, role=r)
+        db.session.add_all([u1, u2])
+        db.session.commit()
+
+        # add a post
+        post = Post(body='body of the post', author=u1)
+        db.session.add(post)
+        db.session.commit()
+
+        # write a comment
+        response = self.client.post(
+            '/api/v1/posts/{}/comments/'.format(post.id),
+            headers=self.get_api_headers('susan@example.com', 'dog'),
+            data=json.dumps({'body': 'Good [post](http://example.com)!'}))
+        self.assertEqual(response.status_code, 201)
+        json_response = json.loads(response.get_data(as_text=True))
+        url = response.headers.get('Location')
+        self.assertIsNotNone(url)
+        self.assertEqual(json_response['body'],
+                        'Good [post](http://example.com)!')
+        self.assertEqual(
+            re.sub('<.*?>', '', json_response['body_html']), 'Good post!')
+
+        # get the new comment
+        response = self.client.get(
+            url,
+            headers=self.get_api_headers('john@example.com', 'cat'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertEqual('http://localhost' + json_response['url'], url)
+        self.assertEqual(json_response['body'],
+                        'Good [post](http://example.com)!')
+
+        # add another comment
+        comment = Comment(body='Thank you!', author=u1, post=post)
+        db.session.add(comment)
+        db.session.commit()
+
+        # get the two comments from the post
+        response = self.client.get(
+            '/api/v1/posts/{}/comments/'.format(post.id),
+            headers=self.get_api_headers('susan@example.com', 'dog'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertIsNotNone(json_response.get('comments'))
+        self.assertEqual(json_response.get('count', 0), 2)
+
+        # get all the comments
+        response = self.client.get(
+            '/api/v1/posts/{}/comments/'.format(post.id),
+            headers=self.get_api_headers('susan@example.com', 'dog'))
+        self.assertEqual(response.status_code, 200)
+        json_response = json.loads(response.get_data(as_text=True))
+        self.assertIsNotNone(json_response.get('comments'))
+        self.assertEqual(json_response.get('count', 0), 2)
diff --git a/tests/test_client.py b/tests/test_client.py
new file mode 100644
index 000000000..bc6f5ca75
--- /dev/null
+++ b/tests/test_client.py
@@ -0,0 +1,62 @@
+import re
+import unittest
+from app import create_app, db
+from app.models import User, Role
+
+class FlaskClientTestCase(unittest.TestCase):
+    def setUp(self):
+        self.app = create_app('testing')
+        self.app_context = self.app.app_context()
+        self.app_context.push()
+        db.create_all()
+        Role.insert_roles()
+        self.client = self.app.test_client(use_cookies=True)
+
+    def tearDown(self):
+        db.session.remove()
+        db.drop_all()
+        self.app_context.pop()
+
+    def test_home_page(self):
+        response = self.client.get('/')
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue('Stranger' in response.get_data(as_text=True))
+
+    def test_register_and_login(self):
+        # register a new account
+        response = self.client.post('/auth/register', data={
+            'email': 'john@example.com',
+            'username': 'john',
+            'password': 'cat',
+            'password2': 'cat'
+        })
+        self.assertEqual(response.status_code, 302)
+
+        # login with the new account
+        response = self.client.post('/auth/login', data={
+            'email': 'john@example.com',
+            'password': 'cat'
+        }, follow_redirects=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue(re.search('Hello,\s+john!',
+                                  response.get_data(as_text=True)))
+        self.assertTrue(
+            'You have not confirmed your account yet' in response.get_data(
+                as_text=True))
+
+        # send a confirmation token
+        user = User.query.filter_by(email='john@example.com').first()
+        token = user.generate_confirmation_token()
+        response = self.client.get('/auth/confirm/{}'.format(token),
+                                   follow_redirects=True)
+        user.confirm(token)
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue(
+            'You have confirmed your account' in response.get_data(
+                as_text=True))
+
+        # log out
+        response = self.client.get('/auth/logout', follow_redirects=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue('You have been logged out' in response.get_data(
+            as_text=True))
diff --git a/tests/test_selenium.py b/tests/test_selenium.py
new file mode 100644
index 000000000..f0eb00ffc
--- /dev/null
+++ b/tests/test_selenium.py
@@ -0,0 +1,98 @@
+import re
+import threading
+import time
+import unittest
+from selenium import webdriver
+from app import create_app, db, fake
+from app.models import Role, User, Post
+
+
+class SeleniumTestCase(unittest.TestCase):
+    client = None
+    
+    @classmethod
+    def setUpClass(cls):
+        # start Chrome
+        options = webdriver.ChromeOptions()
+        options.add_argument('headless')
+        try:
+            cls.client = webdriver.Chrome(chrome_options=options)
+        except:
+            pass
+
+        # skip these tests if the browser could not be started
+        if cls.client:
+            # create the application
+            cls.app = create_app('testing')
+            cls.app_context = cls.app.app_context()
+            cls.app_context.push()
+
+            # suppress logging to keep unittest output clean
+            import logging
+            logger = logging.getLogger('werkzeug')
+            logger.setLevel("ERROR")
+
+            # create the database and populate with some fake data
+            db.create_all()
+            Role.insert_roles()
+            fake.users(10)
+            fake.posts(10)
+
+            # add an administrator user
+            admin_role = Role.query.filter_by(name='Administrator').first()
+            admin = User(email='john@example.com',
+                         username='john', password='cat',
+                         role=admin_role, confirmed=True)
+            db.session.add(admin)
+            db.session.commit()
+
+            # start the Flask server in a thread
+            cls.server_thread = threading.Thread(target=cls.app.run,
+                                                 kwargs={'debug': False})
+            cls.server_thread.start()
+
+            # give the server a second to ensure it is up
+            time.sleep(1) 
+
+    @classmethod
+    def tearDownClass(cls):
+        if cls.client:
+            # stop the flask server and the browser
+            cls.client.get('http://localhost:5000/shutdown')
+            cls.client.quit()
+            cls.server_thread.join()
+
+            # destroy database
+            db.drop_all()
+            db.session.remove()
+
+            # remove application context
+            cls.app_context.pop()
+
+    def setUp(self):
+        if not self.client:
+            self.skipTest('Web browser not available')
+
+    def tearDown(self):
+        pass
+    
+    def test_admin_home_page(self):
+        # navigate to home page
+        self.client.get('http://localhost:5000/')
+        self.assertTrue(re.search('Hello,\s+Stranger!',
+                                  self.client.page_source))
+
+        # navigate to login page
+        self.client.find_element_by_link_text('Log In').click()
+        self.assertIn('<h1>Login</h1>', self.client.page_source)
+
+        # login
+        self.client.find_element_by_name('email').\
+            send_keys('john@example.com')
+        self.client.find_element_by_name('password').send_keys('cat')
+        self.client.find_element_by_name('submit').click()
+        self.assertTrue(re.search('Hello,\s+john!', self.client.page_source))
+
+        # navigate to the user's profile page
+        self.client.find_element_by_link_text('Profile').click()
+        self.assertIn('<h1>john</h1>', self.client.page_source)
diff --git a/tests/test_user_model.py b/tests/test_user_model.py
index fc5a3aeb6..526abdbdd 100644
--- a/tests/test_user_model.py
+++ b/tests/test_user_model.py
@@ -186,8 +186,8 @@ def test_follows(self):
         self.assertTrue(u1.is_following(u2))
         self.assertFalse(u1.is_followed_by(u2))
         self.assertTrue(u2.is_followed_by(u1))
-        self.assertTrue(u1.followed.count() == 1)
-        self.assertTrue(u2.followers.count() == 1)
+        self.assertTrue(u1.followed.count() == 2)
+        self.assertTrue(u2.followers.count() == 2)
         f = u1.followed.all()[-1]
         self.assertTrue(f.followed == u2)
         self.assertTrue(timestamp_before <= f.timestamp <= timestamp_after)
@@ -196,13 +196,24 @@ def test_follows(self):
         u1.unfollow(u2)
         db.session.add(u1)
         db.session.commit()
-        self.assertTrue(u1.followed.count() == 0)
-        self.assertTrue(u2.followers.count() == 0)
-        self.assertTrue(Follow.query.count() == 0)
+        self.assertTrue(u1.followed.count() == 1)
+        self.assertTrue(u2.followers.count() == 1)
+        self.assertTrue(Follow.query.count() == 2)
         u2.follow(u1)
         db.session.add(u1)
         db.session.add(u2)
         db.session.commit()
         db.session.delete(u2)
         db.session.commit()
-        self.assertTrue(Follow.query.count() == 0)
+        self.assertTrue(Follow.query.count() == 1)
+
+    def test_to_json(self):
+        u = User(email='john@example.com', password='cat')
+        db.session.add(u)
+        db.session.commit()
+        with self.app.test_request_context('/'):
+            json_user = u.to_json()
+        expected_keys = ['url', 'username', 'member_since', 'last_seen',
+                         'posts_url', 'followed_posts_url', 'post_count']
+        self.assertEqual(sorted(json_user.keys()), sorted(expected_keys))
+        self.assertEqual('/api/v1/users/' + str(u.id), json_user['url'])