What did you struggle with when adding authorization to your back end?
I struggled the most with ensuring that users could only edit or delete books that they created. This required careful handling of the database queries to check ownership, as well as properly verifying the user's identity before allowing updates.
What did you struggle with when adding authorization to your front end?
The most challenging part was making sure that the UI properly reflected the user's permission such as the buttons being disabled if the user weren't the creator.
What did you struggle with when deploying your app to the internet?
I struggled with deploying my code to the server because I used SCP instead of Git to avoid setting up SSH keys, which made managing updates more cumbersome.
If your app was vulnerable to XSS attacks, explain what you did to mitigate them. If it wasn't, explain why.
My app wasn't vulnerable to XSS attacks after testing it by submitting <script>alert("Hello")</script> when registering a new account. I think it could be because React escapes the content, so it doesn't execute.
If your app was vulnerable to CSRF attacks, explain what you did to mitigate them. If it wasn't, explain why.
I added CSRF, so requests that changes state such as adding or updating requires a token to prevent unauthorized requests.
If you added rate limiting with a firewall, include what commands you ran/packages you used. If you added rate limiting to your application code, indicate this.
I didn't add rate limiting with a firewall such as fail2ban, but instead I did it at the application level with a package like express-rate-limit. I have a global limiter allowing 150 requests every 15 minutes for all routes and a login limiter allowing 20 requests every 15 minutes.
Explain what HTTP headers you set, what they do, and why they're useful.
I set HTTP headers automatically using helmet and they improve the app's security. For example, Content-Security-Policy can prevent some XSS attacks by restricting what the broswer can load.
If you did anything else to secure your app, explain what you did and why.
I don't think I did anything else to secure the app besides cookie verification.