1.
I struggled a bit with the argon. I was adding a user and password manually in my sql script and took me a while to debug why my login wasn't working because my manually added account didn't have the hashed password.
2.
I didn't really have any issues with the front end for auth.
1.
I struggled with because my site wasn't loading. I had to add both IPV4 and IPV6 and that took me a while to figure out.
1.
My app is not vulnerable to stored XSS in normal usage because the UI is built with React, and React escapes user-provided strings by default when rendering
2.
My app mitigates CSRF by using HttpOnly, Secure, SameSite cookies for authentication.
3.
I did not get to this unfortunately, the deploy took way longer than expected.
4.
Same as above.
5.
I didn't do anything else additional to secure my app.