The question may be trivial, but when you raise a server from scratch, especially by disabling parameters like CSRF, the security and stability of the application remain in question... Are there any security certificates to check your project and sleep soundly?
As I understand it, CSRF is regulated by the Same-origin policy. Everything else depends on the implementation of the controllers written by the programmer. Problems related to AJAX requests can only occur if the controller does not correctly handle random requests to the application.
As for the server, I am concerned about the default username in the Linux system... Otherwise, I don’t see any problems in my first experience so far. I may be mistaken in some aspects, so I would appreciate the criticism and evaluation of professionals.