diff --git a/app.js b/app.js
index 75b36b6..5e92754 100644
--- a/app.js
+++ b/app.js
@@ -5,6 +5,8 @@ and send out links to your friends.
 
 var sys = require("sys");
 var express = require("express");
+var helmet = require("helmet");
+var rateLimit = require("express-rate-limit");
 var app = express.createServer();
 
 // Configuration
@@ -15,6 +17,16 @@ app.use(express.bodyParser());
 app.set("view engine", "ejs");
 app.set("view options", { layout: false });
 
+// Disable X-Powered-By header
+app.use(helmet.hidePoweredBy());
+
+// Rate limiting middleware
+const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100 // limit each IP to 100 requests per windowMs
+});
+app.use(limiter);
+
 // Routes
 app.get("/", function(req, res) {
     var xsrf = generateId();
@@ -30,6 +42,8 @@ app.post("/room", function(req, res) {
     if (!xsrf || !matchXsrf || !(xsrf == matchXsrf))
         return res.send({ error: "Unauthorized"}, 403);
     var name = req.body.name;
+    if (typeof name !== 'string') // Type checking
+        return res.send({ error: "Invalid name type."}, 400);
     res.header('content-type', 'application/json');
     name = name.replace(/^\s+|\s+$/, "");
     if (!name || name.length < 4 || name.replace(/^[\w\s]+$/, "") != "")
diff --git a/public/static/js/create.js b/public/static/js/create.js
index 3624ac8..3821261 100644
--- a/public/static/js/create.js
+++ b/public/static/js/create.js
@@ -22,7 +22,12 @@ Create = {
     },
 
     success: function(data) {
-        window.location.href = data.url;
+        var url = data.url;
+        if (url && url.startsWith('/')) { // Ensure the URL is relative
+            window.location.href = url;
+        } else {
+            alert("Invalid redirect URL");
+        }
     },
 
     error: function(data) {