What did you struggle with when adding authorization to your back end?
I didn’t have any issues adding authorization to my backend as I found it very similar to our previous activity.
What did you struggle with when adding authorization to your front end?
I struggled with keeping the user logged in when navigating between pages or refreshing. I fixed this by using an AuthContext to store and manage whether the user is logged in across the entire app.
What did you struggle with when deploying your app to the internet?
Everything. This was so difficult for no reason, I accidentally left my code running while I was still developing and was just really confused for a hot second. I also forgot to add my DNS records on porkbun so that also took a considerable amount of time.
If your app was vulnerable to XSS attacks, explain what you did to mitigate them. If it wasn’t, explain why.
My app is not vulnerable to XSS attacks because the backend mostly returns JSON and the frontend is React. I also use helmet with a Content Security Policy, which helps block scripts from running if something sneaky gets injected.
If your app was vulnerable to CSRF attacks, explain what you did to mitigate them. If it wasn’t, explain why.
I added a same-origin check on /api that blocks POST/PATCH/DELETE requests unless the Origin header is one of my allowed sites and set the cookie to SameSite: "lax" and httpOnly.
If you added rate limiting with a firewall, include what commands you ran/packages you used. If you added rate limiting to your application code, indicate this.
npm i express-rate-limit
I added rate limiting in my application code using express-rate-limit. I rate-limit all /api routes (300 per 15 minutes) and rate-limit /api/login and /api/register much tighter (10 per 15 minutes).
Explain what HTTP headers you set, what they do, and why they’re useful.
I used helmet to set security headers, and I set a Content Security Policy so the browser only connects to trusted origins (like my site and localhost during development). These headers help prevent common attacks like script injection and reduce what the browser will allow a page to do.
If you did anything else to secure your app, explain what you did and why.
N/A