This concerns all microservices:

• http://scottksmith.com/blog/2014/09/04/simple-steps-to-secure-your-express-node-application/
• https://expressjs.com/de/advanced/best-practice-security.html
• https://www.theodo.fr/blog/2015/04/preventing-csrf-attacks-with-express-and-angularjs/

How does CSRF security work with using the API? https://github.com/expressjs/csurf#ignoring-routes

Tasks

• audits
• https-only cookie (disable for dev)