Backend

A Flask starter scaffold — I had mostly written small Python scripts before, and this project was a chance to build a proper backend skeleton. 1. JWT token flow Use short-lived access tokens for better security. Workflow Request access token + refresh token (refresh token in a secure cookie: HttpOnly, Secure, SameSite). Send requests with payload + access token; keep the access token in memory (cleared on logout). When the access token expires, use the refresh cookie to obtain a new access token. Access tokens often live ~1 minute to limit window for MITM abuse. Add a one-way hash over parameters for integrity, ideally including request time. Encrypt sensitive header fields with HMAC; the backend uses HMAC when refreshing tokens. JWTs can be stored in Redis for revocation / allowlists; we aimed for a stateless API for other systems to call, so we did not persist sessions server-side. Implementation notes Set-Cookie is set on the server, not in client JS. Cookies must use HttpOnly, Secure, and SameSite or later requests may not send cookies correctly. Security trade-offs This design improves security for the refresh cookie, but browser extensions can still read cookies in some cases. Going stateless is a deliberate compromise. ...

A Flask starter scaffold — I had mostly written small Python scripts before, and this project was a chance to build a proper backend skeleton. 1. Features we need flask blueprint CORS JSON responses easy debugging health check endpoint logging multiple environments flake8 for static analysis yapf for formatting JWT tokens password hashing MySQL Sphinx docs Postman collections tests XSS mitigation (ORM + escaping) parameter integrity — SHA-1 (mitigate MITM tampering) timestamp validation (replay / DoS-style attacks)