This week was spent testing the secure production options for the application.
Strapi.io framework has a way to toggle on and off security options such as CSRF, P3P, HSTS, XFRAME, etc. Toggled almost all the sensible options to see if it breaks the application.
Unsurprisingly, it did. One of the issue is with the CSRF token, can't seem to be able to get a token from the API server, which subsequently causes the request to fail as no token was received. Need to investigate more into this matter.