diff --git a/app/routes/contributions.js b/app/routes/contributions.js
index 7f68170b9..ead0071e1 100644
--- a/app/routes/contributions.js
+++ b/app/routes/contributions.js
@@ -29,9 +29,9 @@ function ContributionsHandler(db) {
 
         /*jslint evil: true */
         // Insecure use of eval() to parse inputs
-        const preTax = eval(req.body.preTax);
-        const afterTax = eval(req.body.afterTax);
-        const roth = eval(req.body.roth);
+        const preTax = parseFloat(req.body.preTax);
+        const afterTax = parseFloat(req.body.afterTax);
+        const roth = parseFloat(req.body.roth);
 
         /*
         //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval
diff --git a/app/routes/index.js b/app/routes/index.js
index a9e55426b..cf2c312cf 100644
--- a/app/routes/index.js
+++ b/app/routes/index.js
@@ -68,8 +68,14 @@ const index = (app, db) => {
 
     // Handle redirect for learning resources link
     app.get("/learn", isLoggedIn, (req, res) => {
-        // Insecure way to handle redirects by taking redirect url from query string
-        return res.redirect(req.query.url);
+        // Securely handle redirects by using an allow-list of trusted URLs
+        const allowedUrls = ["https://trustedsite.com/resource1", "https://trustedsite.com/resource2"];
+        const redirectUrl = req.query.url;
+        if (allowedUrls.includes(redirectUrl)) {
+            return res.redirect(redirectUrl);
+        } else {
+            return res.status(400).send("Invalid redirect URL");
+        }
     });
 
     // Research Page
diff --git a/server.js b/server.js
index d6bb500a2..567e47395 100644
--- a/server.js
+++ b/server.js
@@ -82,22 +82,20 @@ MongoClient.connect(db, (err, db) => {
         secret: cookieSecret,
         // Both mandatory in Express v4
         saveUninitialized: true,
-        resave: true
-        /*
+        resave: true,
         // Fix for A5 - Security MisConfig
         // Use generic cookie name
         key: "sessionId",
-        */
 
-        /*
         // Fix for A3 - XSS
         // TODO: Add "maxAge"
         cookie: {
-            httpOnly: true
-            // Remember to start an HTTPS server to get this working
-            // secure: true
+            httpOnly: true,
+            secure: true, // Remember to start an HTTPS server to get this working
+            domain: 'example.com', // Set your domain
+            path: '/',
+            expires: new Date(Date.now() + 60 * 60 * 1000) // 1 hour
         }
-        */
 
     }));