Got it. Just please please please sanitize user input server side (relay side). Client side user sanitization is only a courtesy since I can run a custom client that doesn't have it.

Since you're working in browser look through all the CVEs for the different browsers. People can make JavaScript or CSS based keyloggers or a JavaScript based reverse TCP shell for example.

Then I'd recommend learning how to use snort so you can monitor your traffic for suspicious connections...

Okay maybe that part was relevant to the devops side lol.