1. What did you struggle with when adding authorization to your back end?
- I struggled with figuring out where to check if the user is logged in and making sure the routes return the right error when someone isnt authenticated.
2. What did you struggle with when adding authorization to your front end?
- It was confusing to keep the UI updated based on login state and to handle cases where the API says the user is not logged in.
1. What did you struggle with when deploying your app to the internet?
- I had trouble understanding how the react build, the node server, and caddy connect together, and I had to figure out where build files and the database should be on the server.
1. If your app was vulnerable to XSS attacks, explain what you did to mitigate them. If it wasn’t, explain why.
- I didn’t render raw HTML from user input, and I used Helmet with to help prevent external scripts from running.
2. If your app was vulnerable to CSRF attacks, explain what you did to mitigate them. If it wasn’t, explain why.
- I used cookies with the SameSite setting, which helps stop other websites from making authenticated requests using the user’s cookie.
3. If you added rate limiting with a firewall, include what commands you ran/packages you used. If you added rate limiting to your application code, indicate this.
- I added rate limiting in my application code using the express rate limit package to limit how many requests can hit the /api routes.
4. Explain what HTTP headers you set, what they do, and why they’re useful.
- I used Helmet to set security headers like Content Security Policy and X Content Type Options, which helps lower browser attacks.
5. If you did anything else to secure your app, explain what you did and why.
- I validated inputs with Zod, limited request body size, and hashed passwords with Argon2 so sensitive data is handled more safely.