Managing cookies was a real struggle; I had to ensure that after a login, the user stayed logged in and the context wasn't lost. On the frontend, keeping the user state persistent while hiding the UI (like the books and author tables) for non-logged-in users was tough. I ultimately had to disable edit modes and implement a system where only the creator could modify data, which required introducing a proper User table.
I had to register my subdomain on Porkbun to get everything live. The hardest part was the testing phase—even after setting everything up, I couldn't access the app. It turned out I had to clear the cache on both my Mac and my browser before the new address finally worked. I also had to fix several file paths that broke once the app was built and deployed to the server environment.
The app isn't vulnerable to XSS because I strictly used JSX and completely avoided dangerouslySetInnerHTML. By letting React handle the rendering, user input is treated as text rather than executable code.
I'm still a little concerned about CSRF, but I've done the best I can to mitigate it. I made sure cookies aren't sent on cross-site requests and ensured scripts can't steal them by setting httpOnly: true and using strict mode.
I took the professor's advice and implemented express-rate-limit directly into server.ts. I set a limit of 20 requests for login to prevent brute force access—though honestly, 20 still feels like a lot to me.
I used Helmet to manage my security headers. This helps prevent clickjacking and ensures the server doesn't serve resources I didn't intend to share, hardening the overall connection.