Looking for security / performance experts

Hello,


To solve issue number 1 what you need is to lock the csrf and ignore any subsequent request, maybe use a database transaction.
Atomicity and ACID.

I notice someone proposed to use javascript to block the user input while the request fulfills.
This is only good to make the ui user friendly, eg prevent someone to accidentally click twice and get a nasty error, thus downgrading user experience.

The front end is always unreliable and you must think that if you don't handle issues like this in the backend, the user will find your exploit and use it against you.

For number 2, im not a codeigniter developer but i believe that in order to have a secure codeigniter app, all you need to do is follow their guidelines: Codeigniter Guidelines

On a sidenote, i can give you these tips:
For security:
1.-I dont know if codeigniter deals with user registration / login for you. Just make sure you do not store user passwords in clear text. Always use a key derivation function (PKCS5) such as scrypt or bcrypt
2.-Use a firewall on your server and router, and close unnecessary open ports
3.-Always use https, you can get free certificates signed by Let's Encrypt
4.-Do not allow root login remotely
5.-Use an ssh-rsa key for login
6.-Protect your certificates

For performance:
1.-Cache static content (you can also use a CDN to offload your server)


Sorry i don't know CI, hope i helped a little