One I would like to add is to create cryptographically secure random number as a reset token. Make sure you have something that can’t be guessed by an attacker.
So let me explicitly state:
I use strace -p <PID> for debugging a web server on a Linux machine. Especially for operations that explicitly involve the file system and see which files are being read.
strace -p <PID>