bigwhitetuna
commented
1 year ago - [x] Store API URLs in environment variables
- [ ] Consider proxying API calls
- [ ] Update CORS settings on API to only accept from deployed server. Need to address how to go between dev and production with this
- [ ] Confirm both API and web are served over HTTPS
- [ ] Implement rate limiting on API server to prevent abuse and DDOS attacks
- [ ] Validate and sanitize inputs on the server side to prevent SQL injection, XSS, and other injection attacks
- [ ] Implement proper error handling in the API to avoid exposing stack traces or sensitive information when errors occur
- [ ] Authentication and authorization for API endpoints, especially if they are modifying data
- [ ] Security headers: Use security-related HTTP headers like Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, etc., to protect your app from certain classes of attacks.
- [ ] Logging and Monitoring: Set up logging and monitoring to keep track of suspicious activities and to be alerted in case of security incidents.