Back to Home

Homework 3 Reflection

UI

  1. What did you struggle with when adding logins and authorization to your front-end?
  2. On the UI front, there wasn't many issues. I'm pretty familiar React MUI so no issues. I think the only thing was the condition statement for only showing certain tabs on the nav bar when a user is a logged in and only showing home, login and signup when there isn't a user logged in. However, this issue was tied with

Login Endpoint

  1. What did you struggle with when adding logins and authorization to your back-end?
  2. I struggled a lot with authorization where users can only edit/delet books that they themselved created. I think it was somehting with the database not generating a book id when it's created so I couldn't link a user to it. Also, implementing and utilizing cookies was a little difficult to figure out.

Securty Audit

  1. If your app was vulnerable to XSS attacks, explain what you did to mitigate them. If it wasn't, explain why.
  2. To mitigate vulernability to XSS attacks, I used Helmet which sets security related http headers, including Content Security Policy (CSP) and X-XSS-Protection, to prevent XSS attacks..

  3. If your app was vulnerable to CSRF attacks, explain what you did to mitigate them. If it wasn't, explain why.
  4. Used cookieParser, but I need to ensure that sensitive requests require authentication and CSRF Protection.

  5. If you added rate limiting with a firewall, include what commands you ran/packages you used. If you added rate limiting to your application code, indicate this.
  6. I used express-rate-limit to prevent abuse and brute force attacks. Limited requests to 100 per 15 minutes per IP. Custom error message returned when limit is exceeded.

  7. Explain what HTTP headers you set, what they do, and why they're useful.
  8. I used the default helmet HTTP headers. CSP which restricts allowed script sources to prevent XSS. X-XSS Protection which helps block reflected XSS attacks in older browsers. X-Frame-Options which prevents clickjacking attacks by blocking iframe embedding. X-Content-Type-Options which blocks MIME-type sniffing attacks. Strict-Transport-Security (HSTS) which forces HTTPS, preventing MITM attacks.

  9. If you did anything else to secure your app, explain what you did and why.
  10. I did a lot more validations throughout the application, especially login/sign up. Of course, I had to hash the password for extra security and information hiding in the database.