The routes should be the protection for the servers and data.

To add, Seniors would recommend:

- HTTPS only connections
- validate the inputs. ALWAYS
- enforce strong passwords
- use CORS if your API is to be used internally only
- fail faaaaast. Show correct HTTP code
- expire sessions and tokens.
- limit the amount of request for a given period per ACCOUNT - rate limit

- reduce third-party dependencies as much as possible and stick to reputable ones.
- test your error handling. Bad error handling can crash or slow down your servers

- log and monitor
- auto scale to handle more traffic


When unsure or inexperienced, dont handle it yourself. Use SaaS solutions known for their strong security measurements.