diff --git a/src/routes.js b/src/routes.js
index de82ea4..1e5893d 100644
--- a/src/routes.js
+++ b/src/routes.js
@@ -3,6 +3,14 @@
 var util = require('util');
 var _ = require('lodash');
 var models = require('./models');
+var rateLimit = require('express-rate-limit');
+
+// Rate limiter middleware
+const createAccountLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // limit each IP to 100 requests per windowMs
+    message: "Too many accounts created from this IP, please try again after 15 minutes"
+});
 
 /*
  * GET playnow.
@@ -104,7 +112,7 @@ exports.signup = function(req, res) {
  * POST create-account.
  */
 
-exports.createAccount = function(req, res) {
+exports.createAccount = [createAccountLimiter, function(req, res) {
     var reportError = function(msg) {
         req.flash('error', msg);
         return res.redirect('/signup');
@@ -112,6 +120,10 @@ exports.createAccount = function(req, res) {
     var username = req.body.username,
         password = req.body.password;
 
+    if (typeof username !== 'string' || typeof password !== 'string') {
+        return reportError('Invalid input type.');
+    }
+
     if (!username || !password) {
         return reportError('Both username and password are required.');
     } else if (username.length < 2 || username.length > 32) {
@@ -137,7 +149,7 @@ exports.createAccount = function(req, res) {
             return reportError('That username is already in use.');
         }
     });
-};
+}];
 
 /*
  * GET admin page.
diff --git a/src/server.js b/src/server.js
index 4b98537..4793a6b 100755
--- a/src/server.js
+++ b/src/server.js
@@ -3,7 +3,7 @@
 
 var express = require('express');
 var io = require('socket.io');
-var http = require('http');
+var https = require('https'); // Changed from http to https
 var helmet = require('helmet');
 
 var path = require('path');
@@ -59,7 +59,7 @@ var SwiftCODE = function() {
      * Listen on the configured port and IP
      */
     self.listen = function() {
-        self.server = http.createServer(self.app);
+        self.server = https.createServer(self.app); // Changed from http.createServer to https.createServer
 
         // Socket.IO server needs to listen in the same block as the HTTP
         // server, or you'll get listen EACCES errors (due to Node's context
@@ -181,7 +181,8 @@ var SwiftCODE = function() {
                 store: self.sessionstore,
                 secret: self.config.sessionSecret,
                 cookie: {
-                    maxAge: 60 * 60 * 1000 // 1 hour
+                    maxAge: 60 * 60 * 1000, // 1 hour
+                    secure: true // Added secure attribute to cookies
                 }
             }));
             self.app.use(flash());