Homework 4 Reflection

1. Authentication
   1. When adding authorization to the backend, I struggled the most with how I was storing cookies. I kept confusing token and username. Most of my time was spent debugging these mistakes.
   2. I struggled with cookies for the front end as well.
2. Deployment
   1. I struggled the most with knowing when to install something on my server and something within my repository. I accidentally deleted my .ssh directory, so I had to spend a lot of time reconfiguring my ssh keys. I also forgot to register my subdomain to my DNS. I spent hours "debugging" my subdomain not being up just to find out that everything on the server end was fine.
3. Security Audit
   1. I tested <script>alert("hello")</script> in available input boxes. It did not send an alert. This is due to using React rather than innerHTML. I also tried curling a post request sending the same alert, and it did not work because of my authorization in the back end.
   2. I was vulnerable to CSRF attacks, but I changed my cookie settings from "lax" to "strict" and changed the secure settings from "false" to "true." Since tokens are created when the user logs in, I believe the CSRF risks are mitigated.
   3. For rate limiting, I used express-rate-limit. I added server-side code.
   4. Other than the HTTP headers automatically set by Helmet, I used set-cookie, content-type, and location. Set cookie is used to store data to keep the user logged in and allow them to log out. Without using this, I would not be able to keep the user logged in each time. Content-type was used for sending data between server and client, which is why it's useful. Location is used for creating and fetching resources. Without it, the client wouldn't be able to easily access server-side resources.
   5. -