From 7c19edbdb3e2b26fd874f8e356f4a9df85902617 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 16 Apr 2026 17:41:53 +0000
Subject: [PATCH] Improve security, performance, and code quality across the
 stack

Security:
- Add in-memory rate limiter middleware (100 req/15 min per IP) on all /api routes
- Restrict CORS to configured allowed origins with explicit method/header allowlist
- Set X-Content-Type-Options, X-Frame-Options, X-XSS-Protection response headers
- Enforce 10 KB JSON body size limit to block large-payload attacks
- Validate and restrict file uploads to JPEG/PNG/WebP/GIF, max 5 MB
- Validate MongoDB ObjectId format before hitting the DB in getBlog
- Strip internal error objects from all 500 responses (no stack traces to client)
- Fix Flask running with debug=True; now reads FLASK_DEBUG env var (defaults off)

Validation & correctness:
- Add input length and format validation in all four controllers
- Add duplicate-email check in newsletter subscription (returns 409)
- Add model-level maxlength constraints to match controller limits
- Add lowercase + unique index to Newsletter email field
- Fix newsletter controller returning wrong "Contact form" success message
- Replace placeholder getContact / getNewsletter stubs with 405 responses

Performance:
- Add cursor-based pagination (page/limit) to getAllBlog and getAllFeedback
- Run DB count and find queries concurrently with Promise.all
- Fire email sends asynchronously so they don't block HTTP responses

Frontend:
- Remove duplicate AOS CSS import (was loaded 3 times)
- Fix broken backslash path in preloader.css link
- Remove JS comment from <script type="application/ld+json"> (invalid JSON)
- Remove duplicate <meta name="description"> tag
- Add loading="lazy" to all below-the-fold images
- Add missing alt text to hero image and decorative images
- Remove two debug console.log calls left in subscribe.js

https://claude.ai/code/session_01WYySXKUwHPqy48PB1b7PAa
---
 assets/js/subscribe.js                     |   4 +-
 index.html                                 |  40 ++++----
 news/backend/app.py                        |   5 +-
 server/app.js                              |  56 +++++++++--
 server/controllers/addBlogController.js    | 102 +++++++++++++--------
 server/controllers/contactController.js    |  32 +++++--
 server/controllers/feedbackController.js   |  56 ++++++++---
 server/controllers/newsletterController.js |  33 +++++--
 server/middleware/rateLimiter.js           |  46 ++++++++++
 server/model/Newsletter.js                 |  11 ++-
 server/model/addBlog.js                    |  19 ++--
 server/model/contact.js                    |  16 ++--
 12 files changed, 294 insertions(+), 126 deletions(-)
 create mode 100644 server/middleware/rateLimiter.js

diff --git a/assets/js/subscribe.js b/assets/js/subscribe.js
index efba0b70..720e92cc 100644
--- a/assets/js/subscribe.js
+++ b/assets/js/subscribe.js
@@ -7,7 +7,6 @@ const successNotif = document.getElementById('successnotification');
     })
     
     function showSuccess() {
-        console.log('yee')
         successNotif.style.display = 'flex';
         setTimeout(() => {
             successNotif.style.display = 'none';
@@ -19,8 +18,7 @@ document.addEventListener('DOMContentLoaded', () => {
     const subscribeSubmit = document.getElementById('subscribe-btn');
     subscribeSubmit.addEventListener('click', (event) => {
         const emailInput = document.getElementById('news-email');
-        console.log("ksdjfh");
-        
+
             if (emailInput.value === '') {
                 // Empty input
                 return;
diff --git a/index.html b/index.html
index d234f457..6e0e3ff7 100644
--- a/index.html
+++ b/index.html
@@ -5,10 +5,8 @@
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Home - FinVeda</title>
-  <meta name="description" content="" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
   <meta name="description"
-    content="FinVeda provides comprehensive resources and tools for financial education, investment strategies, and personal finance management. Discover your path to financial wellness today!">
+    content="FinVeda provides comprehensive resources and tools for financial education, investment strategies, and personal finance management. Discover your path to financial wellness today!" />
   <meta name="keywords"
     content="finance, financial education, personal finance, investment strategies, financial wellness, budgeting, money management">
   <meta name="author" content="Ayush That">
@@ -23,10 +21,8 @@
   <meta name="twitter:title" content="FinVeda - Your Guide to Financial Wellness">
   <meta name="twitter:description"
     content="Explore a wealth of financial resources at FinVeda to enhance your financial literacy and investment skills.">
-  <link rel="stylesheet" href="https://unpkg.com/aos@next/dist/aos.css" />
   <link rel="manifest" href="/manifest.json">
   <link href="https://unpkg.com/aos@2.3.1/dist/aos.css" rel="stylesheet">
-  <link rel="stylesheet" href="https://unpkg.com/aos@next/dist/aos.css" />
   <!-- Structured Data -->
   <script type="application/ld+json">
     {
@@ -40,7 +36,7 @@
         "name": "FinVeda",
         "logo": {
           "@type": "ImageObject",
-          "url": "/assets/images/favicon2.webp"  // Replace with your logo URL
+          "url": "/assets/images/favicon2.webp"
         }
       }
     }
@@ -58,7 +54,7 @@
   <link rel="stylesheet" href="./assets/css/quiz.css" />
   <link rel="stylesheet" href="./assets/css/popup.css" />
   <link rel="stylesheet" href="./assets/css/cookiepopup.css">
-  <link rel="stylesheet" href="./assets\css\preloader.css" />
+  <link rel="stylesheet" href="./assets/css/preloader.css" />
   <link rel="stylesheet" href="./assets/css/faq.css">
   <link rel="stylesheet" href="./assets/css/index.css">
   <link rel="stylesheet" type="text/css" href="sipcalculatorCss.css">
@@ -1032,7 +1028,7 @@ <h2 class="head-animate" style="font-size: 90px;">
             style="visibility: visible; animation-duration: 1.3s; animation-delay: 1.4s;">
             <div class="anim" data-tilt="">
               <img src="assets/images/header-hero.webp" style="animation: float 1.5s ease-in-out infinite;"
-                data-tilt="" />
+                data-tilt="" alt="FinVeda financial platform illustration" />
             </div>
           </div>
         </div>
@@ -1271,7 +1267,7 @@ <h3 class="title" style="color: #2f6be5;">
             <!-- TradingView Widget BEGIN -->
             <div class="tradingview-widget-container" style="height: 372px;">
               <div id="tv-widget-container" data-aos="slide-left">
-                <img src="assets/images/finance.jpg">
+                <img src="assets/images/finance.jpg" alt="Finance overview" loading="lazy">
               </div>
 
 
@@ -1439,7 +1435,7 @@ <h3 class="title" style="color: #2f6be5;">
         </div>
         <div class="col-lg-6 order-lg-first" data-aos="slide-right">
           <div id="about-4-img">
-            <img src="assets/images/portfolio-optimize.png">
+            <img src="assets/images/portfolio-optimize.png" alt="Portfolio optimization chart" loading="lazy">
           </div>
         </div>
 
@@ -1507,10 +1503,10 @@ <h3 class="title" style="color:#2f6be5;">
       <div class="row">
         <div class="col-lg-6" data-aos="slide-right">
           <div class="video-content mt-50 wow fadeIn" data-wow-duration="1s" data-wow-delay="0.5s">
-            <img class="dots" src="assets/images/dots.svg" alt="dots" />
+            <img class="dots" src="assets/images/dots.svg" alt="" role="presentation" loading="lazy" />
             <div class="video-wrapper">
               <div class="video-image">
-                <img src="assets/images/video.webp" alt="video" />
+                <img src="assets/images/video.webp" alt="Investment video thumbnail" loading="lazy" />
               </div>
               <div class="video-icon">
                 <a href="https://www.youtube.com/watch?v=fUtDU0U7Zqw" class="video-popup"
@@ -1587,7 +1583,7 @@ <h3 class="title" style="color: #2f6be5;"><span>Meet Our</span> tech-savvy Team<
         <div class="col-lg-4 col-md-7 col-sm-8">
           <div class="single-team text-center mt-30 wow fadeIn" data-wow-duration="1s" data-wow-delay="0.2s">
             <div class="team-image">
-              <img class="images-team" src="assets/images/img-1.webp" alt="Team" />
+              <img class="images-team" src="assets/images/img-1.webp" alt="Manya Singh" loading="lazy" />
               <div class="social-pill">
                 <div class="left">
                   <a href="https://twitter.com/manyasingh297" title="X profile of Manya Singh"><i
@@ -1611,7 +1607,7 @@ <h3 class="holder-name"><a href="#">Manya Singh</a></h3>
         <div class="col-lg-4 col-md-7 col-sm-8">
           <div class="single-team text-center mt-30 wow fadeIn" data-wow-duration="1s" data-wow-delay="0.5s">
             <div class="team-image">
-              <img class="images-team" src="assets/images/img-2.webp" alt="Team" />
+              <img class="images-team" src="assets/images/img-2.webp" alt="Ayush Singh" loading="lazy" />
               <div class="social-pill">
                 <div class="left">
                   <a href="https://twitter.com/ayushdotpro" title="X profile of Ayush Singh"><i
@@ -1651,7 +1647,7 @@ <h3 class="holder-name"><a href="#">Ayush Singh</a></h3>
   <main class="forum-body">
     <main class="forum-main">
       <img src="assets/images/discuss.png" style="position: absolute;mix-blend-mode: multiply;left: 100px;"
-        alt="dicuss">
+        alt="Discussion forum illustration" loading="lazy">
       <section style="width: 1000px; height: 800px;" id="destinations" class="destinations">
         <h1 class="forum-title" style="color: white;"> Discussion Forum</h1>
         <div style="width: 800px; height: 600px;" class="post-container">
@@ -1766,7 +1762,7 @@ <h3 style="margin-top: 50px; margin-bottom: 10px;font-size:2.9rem;" class="title
   </div>
   <div style="margin-top: 0px;" class="slider">
     <div class="item">
-      <img src="https://i.pravatar.cc/250?u=user1@finveda.com" alt="Aditi Verma">
+      <img src="https://i.pravatar.cc/250?u=user1@finveda.com" alt="Aditi Verma" loading="lazy">
       <div class="stars">★★★★★</div>
       <p>"FinVeda is a revolutionary app that makes financial literacy accessible to everyone. The AI-powered consultant
         gave me personalized advice, and the finance tools helped me manage my budget more effectively. "</p>
@@ -1776,7 +1772,7 @@ <h2>- Aditi Verma</h2>
     </div>
 
     <div class="item">
-      <img src="https://i.pravatar.cc/250?u=user2@finveda.com" alt="Rohit Sharma">
+      <img src="https://i.pravatar.cc/250?u=user2@finveda.com" alt="Rohit Sharma" loading="lazy">
       <div class="stars">★★★★★</div>
       <p>"The quizzes and blogs on FinVeda are engaging and easy to understand. They’ve improved my financial literacy
         and taught me things I wish I'd known earlier. The market trends feature keeps me informed every day."</p>
@@ -1786,7 +1782,7 @@ <h2>- Rohit Sharma</h2>
     </div>
 
     <div class="item">
-      <img src="https://i.pravatar.cc/250?u=user3@finveda.com" alt="Priya Desai">
+      <img src="https://i.pravatar.cc/250?u=user3@finveda.com" alt="Priya Desai" loading="lazy">
       <div class="stars">★★★★</div>
       <p>"FinVeda has made learning finance approachable and fun. The AI-powered consultant provided real insights, and
         the finance tools have been invaluable in my journey towards financial independence. Highly recommended!"</p>
@@ -1796,7 +1792,7 @@ <h2>- Priya Desai</h2>
     </div>
 
     <div class="item">
-      <img src="https://i.pravatar.cc/250?u=user4@finveda.com" alt="Suresh Iyer">
+      <img src="https://i.pravatar.cc/250?u=user4@finveda.com" alt="Suresh Iyer" loading="lazy">
       <div class="stars">★★★★★</div>
       <p>"FinVeda’s platform has given me the confidence to manage my finances. The tools, blogs, and quizzes make
         complex concepts easy to grasp. It’s been a game-changer for my financial knowledge."</p>
@@ -1806,7 +1802,7 @@ <h2>- Suresh Iyer</h2>
     </div>
 
     <div class="item">
-      <img src="https://i.pravatar.cc/250?u=user5@finveda.com" alt="Anjali Mehta">
+      <img src="https://i.pravatar.cc/250?u=user5@finveda.com" alt="Anjali Mehta" loading="lazy">
       <div class="stars">★★★★★</div>
       <p>"The financial tools on FinVeda have helped me build a budget and stick to it. The AI consultant is a unique
         addition, providing insights that I never expected from an app. FinVeda truly empowers users!"</p>
@@ -1816,7 +1812,7 @@ <h2>- Anjali Mehta</h2>
     </div>
 
     <div class="item">
-      <img src="https://i.pravatar.cc/250?u=user6@finveda.com" alt="Rajesh Gupta">
+      <img src="https://i.pravatar.cc/250?u=user6@finveda.com" alt="Rajesh Gupta" loading="lazy">
       <div class="stars">★★★★</div>
       <p>"With FinVeda, I've gained a new level of control over my finances. The app is packed with useful features, and
         the financial blogs keep me updated on the latest trends in the market."</p>
@@ -1826,7 +1822,7 @@ <h2>- Rajesh Gupta</h2>
     </div>
 
     <div class="item">
-      <img src="https://i.pravatar.cc/250?u=user7@finveda.com" alt="Neha Singh">
+      <img src="https://i.pravatar.cc/250?u=user7@finveda.com" alt="Neha Singh" loading="lazy">
       <div class="stars">★★★★★</div>
       <p>"FinVeda’s blend of financial tools, quizzes, and AI-driven advice has made understanding finance easy and
         enjoyable. It’s the perfect app for anyone aiming to improve their financial literacy."</p>
diff --git a/news/backend/app.py b/news/backend/app.py
index 619e78f4..5c26da4c 100644
--- a/news/backend/app.py
+++ b/news/backend/app.py
@@ -1,3 +1,4 @@
+import os
 from flask import Flask, jsonify
 from news_api import get_curated_news_feed
 
@@ -10,4 +11,6 @@ def get_news_feed():
     return jsonify(news_feed)
 
 if __name__ == '__main__':
-    app.run(debug=True)
\ No newline at end of file
+    debug = os.environ.get('FLASK_DEBUG', 'false').lower() == 'true'
+    port = int(os.environ.get('PORT', 5001))
+    app.run(debug=debug, port=port)
diff --git a/server/app.js b/server/app.js
index 3c8f6e15..fa2a54fd 100644
--- a/server/app.js
+++ b/server/app.js
@@ -6,30 +6,70 @@ import contactRoutes from "./routes/contactRoutes.js";
 import newsletterRoutes from "./routes/newsletterRoutes.js";
 import feedbackRoutes from "./routes/feedbackRoutes.js";
 import addBlog from "./routes/addBlogRoutes.js";
-import path from "path"; // Import path module
-import { fileURLToPath } from "url"; // Import fileURLToPath
-
+import path from "path";
+import { fileURLToPath } from "url";
+import { rateLimiter } from "./middleware/rateLimiter.js";
 
 dotenv.config();
 const app = express();
 connectDB();
 
-app.use(express.json());
+// Body size limit to prevent large payload attacks
+app.use(express.json({ limit: "10kb" }));
+app.use(express.urlencoded({ extended: true, limit: "10kb" }));
+
+// CORS — restrict to known origins in production
+const allowedOrigins = process.env.ALLOWED_ORIGINS
+    ? process.env.ALLOWED_ORIGINS.split(",")
+    : ["http://localhost:5500", "http://127.0.0.1:5500"];
+
+app.use(
+    cors({
+        origin: (origin, callback) => {
+            // Allow requests with no origin (curl, Postman, same-origin)
+            if (!origin || allowedOrigins.includes(origin)) {
+                callback(null, true);
+            } else {
+                callback(new Error("Not allowed by CORS"));
+            }
+        },
+        methods: ["GET", "POST"],
+        allowedHeaders: ["Content-Type"],
+    })
+);
+
+// Basic security headers
+app.use((_req, res, next) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("X-XSS-Protection", "1; mode=block");
+    next();
+});
 
-// to avoid cross-origin error
-app.use(cors());
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
+// Serve uploaded files (static)
 app.use("/uploads", express.static(path.join(__dirname, "uploads")));
 
-// Serve static files from the uploads directory
-app.use("/api/contact", contactRoutes);
+// Apply rate limiting to all API routes
+app.use("/api", rateLimiter);
 
+app.use("/api/contact", contactRoutes);
 app.use("/api/feedback", feedbackRoutes);
 app.use("/api/addBlog", addBlog);
 app.use("/api/newsletter", newsletterRoutes);
 
+// 404 handler
+app.use((_req, res) => {
+    res.status(404).json({ message: "Route not found." });
+});
+
+// Global error handler
+app.use((err, _req, res, _next) => {
+    console.error("Unhandled error:", err);
+    res.status(500).json({ message: "An unexpected error occurred." });
+});
 
 const PORT = process.env.PORT || 5000;
 app.listen(PORT, () => {
diff --git a/server/controllers/addBlogController.js b/server/controllers/addBlogController.js
index 530c8361..eae906a5 100644
--- a/server/controllers/addBlogController.js
+++ b/server/controllers/addBlogController.js
@@ -2,84 +2,106 @@ import BlogPost from '../model/addBlog.js';
 import multer from 'multer';
 import path from 'path';
 
+const ALLOWED_MIME_TYPES = ["image/jpeg", "image/png", "image/webp", "image/gif"];
+const MAX_FILE_SIZE_BYTES = 5 * 1024 * 1024; // 5 MB
+const DEFAULT_PAGE_SIZE = 20;
 
-// Configure multer for file uploads
 const storage = multer.diskStorage({
-    destination: (req, file, cb) => {
-        cb(null, 'uploads/'); // Ensure this directory exists
+    destination: (_req, _file, cb) => {
+        cb(null, 'uploads/');
+    },
+    filename: (_req, file, cb) => {
+        const uniqueSuffix = Date.now() + '-' + Math.round(Math.random() * 1e9);
+        cb(null, uniqueSuffix + path.extname(file.originalname).toLowerCase());
     },
-    filename: (req, file, cb) => {
-        // Set the file name to be unique
-        const uniqueSuffix = Date.now() + '-' + Math.round(Math.random() * 1E9);
-        cb(null, uniqueSuffix + path.extname(file.originalname)); // Preserve the original file extension
-    }
 });
 
-const upload = multer({ storage: storage });
+function fileFilter(_req, file, cb) {
+    if (ALLOWED_MIME_TYPES.includes(file.mimetype)) {
+        cb(null, true);
+    } else {
+        cb(new Error("Only JPEG, PNG, WebP, and GIF images are allowed."), false);
+    }
+}
+
+const upload = multer({
+    storage,
+    fileFilter,
+    limits: { fileSize: MAX_FILE_SIZE_BYTES },
+});
 
-// Function to save a new blog post
 export async function saveBlog(req, res) {
     try {
-        const { title, excerpt, featuredImage } = req.body;
-
-        // If an image is uploaded, use its path
-        let imagePath = req.file ? req.file.path : null;
+        const { title, excerpt } = req.body;
 
-
-        // Check if required fields are provided
         if (!title || !excerpt) {
-            return res.status(400).json({ message: "All required fields must be filled out." });
+            return res.status(400).json({ message: "Title and excerpt are required." });
         }
 
-        // Create a new blog document
-        const newBlog = new BlogPost({
-            title,
-            excerpt,
-            featuredImage: imagePath // Use the determined image path
-        });
+        if (title.length > 200) {
+            return res.status(400).json({ message: "Title must be 200 characters or fewer." });
+        }
+        if (excerpt.length > 1000) {
+            return res.status(400).json({ message: "Excerpt must be 1000 characters or fewer." });
+        }
 
-        console.log(newBlog);
+        const imagePath = req.file ? req.file.path : null;
 
-        // Save the blog post to the database
+        const newBlog = new BlogPost({ title, excerpt, featuredImage: imagePath });
         await newBlog.save();
 
-        // Respond with success message
-        res.status(201).json({
-            message: "Blog post created successfully!",
-            data: newBlog
-        });
+        res.status(201).json({ message: "Blog post created successfully!", data: newBlog });
     } catch (error) {
         console.error("Error saving blog post:", error);
-        res.status(500).json({ message: "Failed to create blog post.", error });
+        res.status(500).json({ message: "Failed to create blog post." });
     }
 }
 
-
 export async function getAllBlog(req, res) {
     try {
-        const blogs = await BlogPost.find(); // Retrieve all blog posts
-        res.status(200).json(blogs); // Respond with the list of blog posts
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const limit = Math.min(100, Math.max(1, parseInt(req.query.limit) || DEFAULT_PAGE_SIZE));
+        const skip = (page - 1) * limit;
+
+        const [blogs, total] = await Promise.all([
+            BlogPost.find().sort({ createdAt: -1 }).skip(skip).limit(limit),
+            BlogPost.countDocuments(),
+        ]);
+
+        res.status(200).json({
+            data: blogs,
+            pagination: {
+                total,
+                page,
+                limit,
+                totalPages: Math.ceil(total / limit),
+            },
+        });
     } catch (error) {
         console.error("Error retrieving blog posts:", error);
-        res.status(500).json({ message: "Failed to retrieve blog posts.", error });
+        res.status(500).json({ message: "Failed to retrieve blog posts." });
     }
 }
 
-// Function to retrieve a specific blog post by ID
 export async function getBlog(req, res) {
     try {
         const { id } = req.params;
 
-        // Retrieve the specific blog post by ID
+        // Basic ObjectId format check to avoid unnecessary DB calls
+        if (!/^[a-f\d]{24}$/i.test(id)) {
+            return res.status(400).json({ message: "Invalid blog post ID." });
+        }
+
         const blog = await BlogPost.findById(id);
         if (!blog) {
             return res.status(404).json({ message: "Blog post not found." });
         }
-        return res.status(200).json(blog);
+
+        res.status(200).json(blog);
     } catch (error) {
         console.error("Error retrieving blog post:", error);
-        res.status(500).json({ message: "Failed to retrieve blog post.", error });
+        res.status(500).json({ message: "Failed to retrieve blog post." });
     }
 }
 
-export { upload };
\ No newline at end of file
+export { upload };
diff --git a/server/controllers/contactController.js b/server/controllers/contactController.js
index f7837732..ffcf02d5 100644
--- a/server/controllers/contactController.js
+++ b/server/controllers/contactController.js
@@ -1,31 +1,43 @@
 import Contact from "../model/contact.js";
 import { sendMailToAdmin } from "../utils/sendMail.js";
 
+const EMAIL_REGEX = /^\S+@\S+\.\S+$/;
+
 export async function saveContact(req, res) {
     try {
         const { name, email, subject, message } = req.body;
 
-        // Check if all fields are provided
         if (!name || !email || !subject || !message) {
             return res.status(400).json({ message: "All fields are required." });
         }
 
-        // Create new contact document
+        if (!EMAIL_REGEX.test(email)) {
+            return res.status(400).json({ message: "Please enter a valid email address." });
+        }
+
+        if (name.length > 100) {
+            return res.status(400).json({ message: "Name must be 100 characters or fewer." });
+        }
+        if (subject.length > 200) {
+            return res.status(400).json({ message: "Subject must be 200 characters or fewer." });
+        }
+        if (message.length > 2000) {
+            return res.status(400).json({ message: "Message must be 2000 characters or fewer." });
+        }
+
         const newContact = new Contact({ name, email, subject, message });
-        sendMailToAdmin(newContact)
-        // Save contact form data to the database
         await newContact.save();
 
-        // Respond with success message
-        res
-            .status(201)
-            .json({ message: "Contact form submitted successfully!", newContact });
+        // Send email asynchronously — don't block the response
+        sendMailToAdmin(newContact);
+
+        res.status(201).json({ message: "Contact form submitted successfully!" });
     } catch (error) {
         console.error("Error saving contact form:", error);
-        res.status(500).json({ message: "Failed to submit contact form.", error });
+        res.status(500).json({ message: "Failed to submit contact form." });
     }
 }
 
 export async function getContact(req, res) {
-    res.send('hello contact')
+    res.status(405).json({ message: "Method not allowed." });
 }
diff --git a/server/controllers/feedbackController.js b/server/controllers/feedbackController.js
index bb06bd65..d03854ae 100644
--- a/server/controllers/feedbackController.js
+++ b/server/controllers/feedbackController.js
@@ -1,36 +1,64 @@
 import Feedback from "../model/feedback.js";
 
+const EMAIL_REGEX = /^\S+@\S+\.\S+$/;
+const VALID_RATINGS = ["1", "2", "3", "4", "5"];
+const DEFAULT_PAGE_SIZE = 20;
+
 export async function saveFeedback(req, res) {
     try {
         const { name, email, rating, comments } = req.body;
 
-        // Check if all fields are provided
         if (!name || !email || !rating || !comments) {
             return res.status(400).json({ message: "All fields are required." });
         }
 
-        // Create new contact document
+        if (!EMAIL_REGEX.test(email)) {
+            return res.status(400).json({ message: "Please enter a valid email address." });
+        }
+
+        if (!VALID_RATINGS.includes(String(rating))) {
+            return res.status(400).json({ message: "Rating must be between 1 and 5." });
+        }
+
+        if (name.length > 100) {
+            return res.status(400).json({ message: "Name must be 100 characters or fewer." });
+        }
+        if (comments.length > 500) {
+            return res.status(400).json({ message: "Comments must be 500 characters or fewer." });
+        }
+
         const newFeedback = new Feedback({ name, email, rating, comments });
-        console.log(newFeedback)
-        // Save contact form data to the database
         await newFeedback.save();
 
-        // Respond with success message
-        res
-            .status(201)
-            .json({ message: "Feedback form submitted successfully!", newFeedback });
+        res.status(201).json({ message: "Feedback submitted successfully!" });
     } catch (error) {
-        console.error("Error saving feedback form:", error);
-        res.status(500).json({ message: "Failed to submit feedback form.", error });
+        console.error("Error saving feedback:", error);
+        res.status(500).json({ message: "Failed to submit feedback." });
     }
 }
 
 export const getAllFeedback = async (req, res) => {
     try {
-        const feedbackList = await Feedback.find().sort({ createdAt: -1 }); // Sort by created date
-        res.status(200).json(feedbackList); // Respond with feedback list
+        const page = Math.max(1, parseInt(req.query.page) || 1);
+        const limit = Math.min(100, Math.max(1, parseInt(req.query.limit) || DEFAULT_PAGE_SIZE));
+        const skip = (page - 1) * limit;
+
+        const [feedbackList, total] = await Promise.all([
+            Feedback.find().sort({ createdAt: -1 }).skip(skip).limit(limit),
+            Feedback.countDocuments(),
+        ]);
+
+        res.status(200).json({
+            data: feedbackList,
+            pagination: {
+                total,
+                page,
+                limit,
+                totalPages: Math.ceil(total / limit),
+            },
+        });
     } catch (error) {
-        console.error('Error fetching feedback:', error);
-        res.status(500).json({ message: 'Server error', error: error.message }); // Handle errors
+        console.error("Error fetching feedback:", error);
+        res.status(500).json({ message: "Failed to retrieve feedback." });
     }
 };
diff --git a/server/controllers/newsletterController.js b/server/controllers/newsletterController.js
index f5faef26..438df03c 100644
--- a/server/controllers/newsletterController.js
+++ b/server/controllers/newsletterController.js
@@ -1,27 +1,42 @@
 import NewsLetter from "../model/Newsletter.js";
 import { sendMailToSubscriber } from "../utils/sendNewsletter.js";
 
+const EMAIL_REGEX = /^\S+@\S+\.\S+$/;
+
 export async function saveNewsletter(req, res) {
     try {
         const { name, email } = req.body;
 
         if (!name || !email) {
-            return res.status(400).json({ message: "All fields are required." });
+            return res.status(400).json({ message: "Name and email are required." });
+        }
+
+        if (!EMAIL_REGEX.test(email)) {
+            return res.status(400).json({ message: "Please enter a valid email address." });
+        }
+
+        if (name.length > 100) {
+            return res.status(400).json({ message: "Name must be 100 characters or fewer." });
+        }
+
+        const existing = await NewsLetter.findOne({ email: email.toLowerCase().trim() });
+        if (existing) {
+            return res.status(409).json({ message: "This email is already subscribed." });
         }
 
-        // Create new contact document
         const newNewsLetter = new NewsLetter({ name, email });
-        sendMailToSubscriber(newNewsLetter)
         await newNewsLetter.save();
-        res
-            .status(201)
-            .json({ message: "Contact form submitted successfully!", newNewsLetter });
+
+        // Send welcome email asynchronously — don't block the response
+        sendMailToSubscriber(newNewsLetter);
+
+        res.status(201).json({ message: "Successfully subscribed to the newsletter!" });
     } catch (error) {
-        console.error("Error saving contact form:", error);
-        res.status(500).json({ message: "Failed to submit contact form.", error });
+        console.error("Error saving newsletter subscription:", error);
+        res.status(500).json({ message: "Failed to subscribe. Please try again later." });
     }
 }
 
 export async function getNewsletter(req, res) {
-    res.send('hello newsletter')
+    res.status(405).json({ message: "Method not allowed." });
 }
diff --git a/server/middleware/rateLimiter.js b/server/middleware/rateLimiter.js
new file mode 100644
index 00000000..a3e59d72
--- /dev/null
+++ b/server/middleware/rateLimiter.js
@@ -0,0 +1,46 @@
+/**
+ * Simple in-memory rate limiter middleware.
+ * Limits each IP to MAX_REQUESTS requests per WINDOW_MS milliseconds.
+ * Does not require external packages.
+ */
+
+const WINDOW_MS = 15 * 60 * 1000; // 15 minutes
+const MAX_REQUESTS = 100;
+
+// Map of IP -> { count, resetTime }
+const requestCounts = new Map();
+
+// Periodically clean up expired entries to prevent memory leaks
+setInterval(() => {
+    const now = Date.now();
+    for (const [ip, data] of requestCounts.entries()) {
+        if (now > data.resetTime) {
+            requestCounts.delete(ip);
+        }
+    }
+}, WINDOW_MS);
+
+export function rateLimiter(req, res, next) {
+    const ip =
+        req.headers["x-forwarded-for"]?.split(",")[0].trim() ||
+        req.socket.remoteAddress ||
+        "unknown";
+
+    const now = Date.now();
+    const entry = requestCounts.get(ip);
+
+    if (!entry || now > entry.resetTime) {
+        requestCounts.set(ip, { count: 1, resetTime: now + WINDOW_MS });
+        return next();
+    }
+
+    if (entry.count >= MAX_REQUESTS) {
+        res.setHeader("Retry-After", Math.ceil((entry.resetTime - now) / 1000));
+        return res.status(429).json({
+            message: "Too many requests. Please try again later.",
+        });
+    }
+
+    entry.count += 1;
+    next();
+}
diff --git a/server/model/Newsletter.js b/server/model/Newsletter.js
index 6614db65..3031974c 100644
--- a/server/model/Newsletter.js
+++ b/server/model/Newsletter.js
@@ -4,18 +4,21 @@ const newsletterSchema = new mongoose.Schema({
     name: {
         type: String,
         required: true,
-        trim: true
+        trim: true,
+        maxlength: 100,
     },
     email: {
         type: String,
         required: true,
         trim: true,
-        match: [/^\S+@\S+\.\S+$/, "Please enter a valid email address"]
+        lowercase: true,
+        unique: true,
+        match: [/^\S+@\S+\.\S+$/, "Please enter a valid email address"],
     },
     subscribedAt: {
         type: Date,
-        default: Date.now
-    }
+        default: Date.now,
+    },
 });
 
 const Newsletter = mongoose.model("Newsletter", newsletterSchema);
diff --git a/server/model/addBlog.js b/server/model/addBlog.js
index a499dbfb..27cdc005 100644
--- a/server/model/addBlog.js
+++ b/server/model/addBlog.js
@@ -4,33 +4,34 @@ const blogPostSchema = new mongoose.Schema({
     title: {
         type: String,
         required: true,
-        trim: true
+        trim: true,
+        maxlength: 200,
     },
     excerpt: {
         type: String,
         required: true,
-        trim: true
+        trim: true,
+        maxlength: 1000,
     },
     featuredImage: {
         type: String,
-        default: null
+        default: null,
     },
     createdAt: {
         type: Date,
-        default: Date.now
+        default: Date.now,
     },
     updatedAt: {
         type: Date,
-        default: Date.now
-    }
+        default: Date.now,
+    },
 });
 
-// Add a pre-save hook to update the `updatedAt` field
-blogPostSchema.pre('save', function (next) {
+blogPostSchema.pre("save", function (next) {
     this.updatedAt = Date.now();
     next();
 });
 
-const BlogPost = mongoose.model('BlogPost', blogPostSchema);
+const BlogPost = mongoose.model("BlogPost", blogPostSchema);
 
 export default BlogPost;
diff --git a/server/model/contact.js b/server/model/contact.js
index 7d579052..02061e26 100644
--- a/server/model/contact.js
+++ b/server/model/contact.js
@@ -4,28 +4,32 @@ const contactSchema = new mongoose.Schema({
     name: {
         type: String,
         required: true,
-        trim: true
+        trim: true,
+        maxlength: 100,
     },
     email: {
         type: String,
         required: true,
         trim: true,
-        match: [/^\S+@\S+\.\S+$/, "Please enter a valid email address"]
+        lowercase: true,
+        match: [/^\S+@\S+\.\S+$/, "Please enter a valid email address"],
     },
     subject: {
         type: String,
         required: true,
-        trim: true
+        trim: true,
+        maxlength: 200,
     },
     message: {
         type: String,
         required: true,
-        trim: true
+        trim: true,
+        maxlength: 2000,
     },
     createdAt: {
         type: Date,
-        default: Date.now
-    }
+        default: Date.now,
+    },
 });
 
 const Contact = mongoose.model("Contact", contactSchema);