# Module 9: Full-Stack Integration, State Management & Web Security

### Objectives
- Integrate frontend and backend systems seamlessly.
- Understand client/server communication models.
- Learn about state management in single-page apps.
- Apply essential security practices in full-stack applications.

---

### Full-Stack Integration

A web app is not just a UI or a backend server—it's the synergy of both. In full-stack development, the frontend (React, Vue, etc.) communicates with the backend (Node.js, Django, etc.) through APIs. These APIs are the glue that binds both layers.

**RESTful APIs**: Most common architecture style for web apps. Endpoints typically follow a noun-based convention:

```http
GET /api/users → Get all users
POST /api/users → Create a user
GET /api/users/:id → Get one user
```

**GraphQL** is another approach where the client defines the shape of the data returned. Ideal for optimizing payloads.

**Middleware Integration**: When building scalable backends, middleware helps manage CORS, cookies, authentication, and error handling.

```javascript
app.use(cors());
app.use(express.json());
app.use('/api', router);
```

### State Management

As apps grow in complexity, managing the state becomes harder. State is everything your app knows at a given point—user info, shopping cart, active view, etc.

**Local State**: Stored in component memory (e.g. `useState` in React).

**Global State**: Shared across multiple components. Libraries:
- **Redux**: Predictable state container.
- **Context API**: Built-in React tool for lightweight state management.
- **Zustand, Recoil, MobX**: Simpler or more scalable alternatives.

**Persistent State**: Stored across sessions.
- `localStorage` and `sessionStorage` on the client.
- JWT tokens or sessions on the server.

### Web Security Fundamentals
Security is not optional. Real-world engineering requires an understanding of the most common vulnerabilities and how to prevent them.

**OWASP Top 5 You Must Know**:
1. **Injection (SQL, NoSQL, Command)** – Always sanitize user input.
2. **Broken Authentication** – Use robust libraries like Passport.js, bcrypt for password hashing.
3. **XSS (Cross-Site Scripting)** – Escape output on the frontend. Use CSP headers.
4. **CSRF (Cross-Site Request Forgery)** – Use anti-CSRF tokens.
5. **Insecure Deserialization** – Validate and sanitize JSON inputs.

**Security Headers** (Helmet for Express):
```javascript
const helmet = require('helmet');
app.use(helmet());
```

**Environment Variables** (Protect API keys):
```bash
touch .env
```
```env
DB_PASSWORD=supersecret
```
```javascript
require('dotenv').config();
```

### Practical Integration
- Use React to make authenticated API calls to Node.js server.
- Store JWT in cookies or localStorage securely.
- Protect routes both client-side (with guards) and server-side (with middleware).
- Deploy with HTTPS, avoid mixed content issues.

### Summary
Full-stack integration goes beyond connecting buttons to servers. It involves secure, state-aware, well-structured pipelines from frontend interaction to backend processing and data persistence. As you master these, you prepare yourself for real-world engineering teams that expect security, efficiency, and reliability from every component. Next: your final Capstone Project to apply all these skills.