I struggled with adding a register account to check if the username already exists and making the messages if it exists. The rest was rather simple since I did it for activity 4a. Although, I did have to change something to make the username work by having it get stored in the token storage. Had some issues setting up the imports and figuring out how to use the limiter.

For frontend, I struggled with how to make the ui disappear and reappear when logged in and fixing the html format with the material ui when implementing the authorization. I had to set up authorization for editing and deleting individual entries so that it is tied to that user and can’t be edited by others, which was a struggle.

The instructions given was really confusing to follow on how to deploy it and I had many things to struggle with including adding the subdomain records, editing the Caddyfile, importing it into the VPS, and there were many times where it didn’t deploy. I had an issue with npm run build where sometimes it didn’t work for authorization.

I think my app was not vulnerable to XSS attacks because my user input such as username, book title, author name is rendered inside JSX and React auto-escapes the content by default so it is safe.

What I did was made my cookies httpOnly which cannot be read by JavaScript, and also used sameSite: "lax" which helps prevent most of the http methods and I also require authorization for all write and read routes which made it invulnerable.

I did import { rateLimit } from 'express-rate-limit' and used the limiter on the website that limits each IP to 100 requests per 15 minutes and used the default that was shown on the website.

I used standardHeaders: 'draft-8' for the express-rate-limit and they are modern and work better for the latest browser. It also keeps it more secure as it is more new.

I did not do much else besides using cookies and hashing for authorization and making the ui not show up unless logged in.