4. Protecting the App from Common Attacks

There are many ways hackers try to break into apps. Here’s how I protected mine:

SQL Injection

Hackers try to insert harmful code into database queries.
Solution: Use prepared statements or ORMs to safely handle database queries.

Cross-Site Scripting (XSS)

Attackers inject harmful scripts into web pages to steal user data.
Solution: Always sanitize user inputs and avoid inserting raw HTML into the app.

Cross-Site Request Forgery (CSRF)

A hacker tricks users into performing unwanted actions while logged in.
Solution: Use CSRF tokens, which confirm that requests are made by the real user.

Brute Force Attacks

Hackers try guessing passwords by testing many combinations.
Solution: Add rate limiting so users can only try logging in a few times before being blocked.

5. Keeping APIs Secure

Since users log in with phone numbers, security is a top priority to prevent unauthorized access and protect data. Here’s how I secured both the authentication system and the API itself:

Securing Authentication (Phone Number Login)

• OTP Expiry – OTPs expire quickly to prevent reuse.

• Rate Limiting – Limits OTP requests to prevent abuse (e.g., too many OTP requests from the same number).

• Token Expiry – Authentication tokens expire after a set time, so users must reauthenticate after a while.

Securing API Access

• Authentication Tokens – Only logged-in users with valid tokens can access protected data.

• Enable CORS – Blocks unwanted requests from unknown sources.

• Limit API Requests – Prevents attackers from overwhelming the system with too many requests.

• Log and Monitor Requests – Tracks suspicious activity to detect and stop attacks early.

These steps ensure that both user authentication and API access remain safe while keeping the login experience smooth.