diff --git a/app/Http/Controllers/Api/MeetupController.php b/app/Http/Controllers/Api/MeetupController.php
index d29dc31..be21a90 100644
--- a/app/Http/Controllers/Api/MeetupController.php
+++ b/app/Http/Controllers/Api/MeetupController.php
@@ -4,7 +4,6 @@ namespace App\Http\Controllers\Api;
 
 use App\Http\Controllers\Controller;
 use App\Models\Meetup;
-use App\Models\User;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Http\Request;
 
@@ -17,14 +16,10 @@ class MeetupController extends Controller
 
     public function index(Request $request)
     {
-        if (!is_numeric($request->input('user_id'))) {
-            abort(404);
-        }
+        $user = $request->user();
+        abort_unless($user, 401);
 
-        $myMeetupIds = User::query()
-            ->findOrFail($request->input('user_id'))
-            ?->meetups
-            ->pluck('id');
+        $myMeetupIds = $user->meetups->pluck('id');
 
         return Meetup::query()
             ->select('id', 'name', 'city_id', 'slug')
diff --git a/app/Http/Controllers/ImageController.php b/app/Http/Controllers/ImageController.php
index 9d7f400..fb25944 100644
--- a/app/Http/Controllers/ImageController.php
+++ b/app/Http/Controllers/ImageController.php
@@ -12,6 +12,8 @@ class ImageController extends Controller
 {
     public function __invoke(Request $request, $path)
     {
+        abort_if(str_contains($path, '..'), 404);
+
         $source = new \League\Flysystem\Filesystem(
             new \League\Flysystem\Local\LocalFilesystemAdapter(storage_path('app'))
         );
diff --git a/app/Models/Course.php b/app/Models/Course.php
index 6e0c04d..d36b191 100644
--- a/app/Models/Course.php
+++ b/app/Models/Course.php
@@ -20,11 +20,13 @@ class Course extends Model implements HasMedia
     use InteractsWithMedia;
 
     /**
-     * The attributes that aren't mass assignable.
-     *
-     * @var array
+     * @var array<int, string>
      */
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'lecturer_id',
+        'description',
+    ];
 
     /**
      * The attributes that should be cast to native types.
diff --git a/app/Models/Lecturer.php b/app/Models/Lecturer.php
index 94218ce..cd21e9d 100644
--- a/app/Models/Lecturer.php
+++ b/app/Models/Lecturer.php
@@ -22,11 +22,24 @@ class Lecturer extends Model implements HasMedia
     use InteractsWithMedia;
 
     /**
-     * The attributes that aren't mass assignable.
-     *
-     * @var array
+     * @var array<int, string>
      */
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'slug',
+        'subtitle',
+        'intro',
+        'description',
+        'active',
+        'website',
+        'twitter_username',
+        'nostr',
+        'lightning_address',
+        'lnurl',
+        'node_id',
+        'paynym',
+        'team_id',
+    ];
 
     /**
      * The attributes that should be cast to native types.
diff --git a/app/Models/Meetup.php b/app/Models/Meetup.php
index d0e1059..9fec58c 100644
--- a/app/Models/Meetup.php
+++ b/app/Models/Meetup.php
@@ -23,11 +23,25 @@ class Meetup extends Model implements HasMedia
     use InteractsWithMedia;
 
     /**
-     * The attributes that aren't mass assignable.
-     *
-     * @var array
+     * @var array<int, string>
      */
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'slug',
+        'city_id',
+        'intro',
+        'telegram_link',
+        'webpage',
+        'twitter_username',
+        'matrix_group',
+        'nostr',
+        'nostr_status',
+        'simplex',
+        'signal',
+        'community',
+        'github_data',
+        'visible_on_map',
+    ];
 
     /**
      * The attributes that should be cast to native types.
diff --git a/app/Models/SelfHostedService.php b/app/Models/SelfHostedService.php
index 193f438..d3ed4a0 100644
--- a/app/Models/SelfHostedService.php
+++ b/app/Models/SelfHostedService.php
@@ -22,7 +22,22 @@ class SelfHostedService extends Model implements HasMedia
     use HasTags;
     use InteractsWithMedia;
 
-    protected $guarded = [];
+    /**
+     * @var array<int, string>
+     */
+    protected $fillable = [
+        'name',
+        'slug',
+        'type',
+        'intro',
+        'url_clearnet',
+        'url_onion',
+        'url_i2p',
+        'url_pkdns',
+        'ip',
+        'contact',
+        'anon',
+    ];
 
     protected $casts = [
         'id' => 'integer',
diff --git a/app/Models/User.php b/app/Models/User.php
index 1b03c14..cb79c79 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -24,7 +24,28 @@ class User extends Authenticatable implements CipherSweetEncrypted
     use Notifiable;
     use UsesCipherSweet;
 
-    protected $guarded = [];
+    protected $fillable = [
+        'name',
+        'email',
+        'password',
+        'email_verified_at',
+        'remember_token',
+        'profile_photo_path',
+        'public_key',
+        'is_lecturer',
+        'is_leader',
+        'current_team_id',
+        'current_language',
+        'timezone',
+        'lightning_address',
+        'lnurl',
+        'node_id',
+        'paynym',
+        'nostr',
+        'lnbits',
+        'change',
+        'change_time',
+    ];
 
     /**
      * The attributes that should be hidden for serialization.
diff --git a/resources/views/livewire/courses/landingpage.blade.php b/resources/views/livewire/courses/landingpage.blade.php
index 8702fbe..cb59e9d 100644
--- a/resources/views/livewire/courses/landingpage.blade.php
+++ b/resources/views/livewire/courses/landingpage.blade.php
@@ -87,7 +87,7 @@ class extends Component {
                             <!-- Lecturer Social Links -->
                             <div class="mt-4 flex flex-wrap gap-2">
                                 @if($course->lecturer->website)
-                                    <flux:button href="{{ $course->lecturer->website }}" target="_blank" variant="ghost"
+                                    <flux:button href="{{ $course->lecturer->website }}" target="_blank" rel="noopener noreferrer" variant="ghost"
                                                  size="xs">
                                         <flux:icon.globe-alt class="w-4 h-4 mr-1"/>
                                         Website
@@ -96,7 +96,7 @@ class extends Component {
 
                                 @if($course->lecturer->twitter_username)
                                     <flux:button href="https://twitter.com/{{ $course->lecturer->twitter_username }}"
-                                                 target="_blank" variant="ghost" size="xs">
+                                                 target="_blank" rel="noopener noreferrer" variant="ghost" size="xs">
                                         <svg class="w-4 h-4 mr-1" fill="currentColor" viewBox="0 0 24 24">
                                             <path
                                                 d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"/>
@@ -106,7 +106,7 @@ class extends Component {
                                 @endif
 
                                 @if($course->lecturer->nostr)
-                                    <flux:button href="https://njump.me/{{ $course->lecturer->nostr }}" target="_blank"
+                                    <flux:button href="https://njump.me/{{ $course->lecturer->nostr }}" target="_blank" rel="noopener noreferrer"
                                                  variant="ghost" size="xs">
                                         <flux:icon.bolt class="w-4 h-4 mr-1"/>
                                         Nostr
@@ -173,6 +173,7 @@ class extends Component {
                         <div class="mt-auto pt-4 flex gap-2">
                             <flux:button
                                 target="_blank"
+                                rel="noopener noreferrer"
                                 :href="$event->link"
                                 size="xs"
                                 variant="primary"
diff --git a/resources/views/livewire/meetups/landingpage.blade.php b/resources/views/livewire/meetups/landingpage.blade.php
index c8d4a28..d710832 100644
--- a/resources/views/livewire/meetups/landingpage.blade.php
+++ b/resources/views/livewire/meetups/landingpage.blade.php
@@ -84,7 +84,7 @@ class extends Component {
 
                 <div class="grid grid-cols-1 md:grid-cols-2 gap-3">
                     @if($meetup->webpage)
-                        <flux:button href="{{ $meetup->webpage }}" target="_blank" variant="ghost"
+                        <flux:button href="{{ $meetup->webpage }}" target="_blank" rel="noopener noreferrer" variant="ghost"
                                      class="justify-start">
                             <flux:icon.globe-alt class="w-5 h-5 mr-2"/>
                             Webseite
@@ -92,7 +92,7 @@ class extends Component {
                     @endif
 
                     @if($meetup->telegram_link)
-                        <flux:button href="{{ $meetup->telegram_link }}" target="_blank" variant="ghost"
+                        <flux:button href="{{ $meetup->telegram_link }}" target="_blank" rel="noopener noreferrer" variant="ghost"
                                      class="justify-start">
                             <flux:icon.chat-bubble-left-right class="w-5 h-5 mr-2"/>
                             Telegram
@@ -100,7 +100,7 @@ class extends Component {
                     @endif
 
                     @if($meetup->twitter_username)
-                        <flux:button href="https://twitter.com/{{ $meetup->twitter_username }}" target="_blank"
+                        <flux:button href="https://twitter.com/{{ $meetup->twitter_username }}" target="_blank" rel="noopener noreferrer"
                                      variant="ghost" class="justify-start">
                             <svg class="w-5 h-5 mr-2" fill="currentColor" viewBox="0 0 24 24">
                                 <path
@@ -111,7 +111,7 @@ class extends Component {
                     @endif
 
                     @if($meetup->matrix_group)
-                        <flux:button href="{{ $meetup->matrix_group }}" target="_blank" variant="ghost"
+                        <flux:button href="{{ $meetup->matrix_group }}" target="_blank" rel="noopener noreferrer" variant="ghost"
                                      class="justify-start">
                             <flux:icon.hashtag class="w-5 h-5 mr-2"/>
                             Matrix
@@ -119,14 +119,14 @@ class extends Component {
                     @endif
 
                     @if($meetup->signal)
-                        <flux:button href="{{ $meetup->signal }}" target="_blank" variant="ghost" class="justify-start">
+                        <flux:button href="{{ $meetup->signal }}" target="_blank" rel="noopener noreferrer" variant="ghost" class="justify-start">
                             <flux:icon.phone class="w-5 h-5 mr-2"/>
                             Signal
                         </flux:button>
                     @endif
 
                     @if($meetup->simplex)
-                        <flux:button href="{{ $meetup->simplex }}" target="_blank" variant="ghost"
+                        <flux:button href="{{ $meetup->simplex }}" target="_blank" rel="noopener noreferrer" variant="ghost"
                                      class="justify-start">
                             <flux:icon.chat-bubble-oval-left-ellipsis class="w-5 h-5 mr-2"/>
                             SimpleX
diff --git a/routes/api.php b/routes/api.php
index 84aa625..315ce4b 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -11,7 +11,7 @@ use App\Models\User;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Route;
 
-Route::middleware([])
+Route::middleware(['throttle:60,1'])
     ->as('api.')
     ->group(function () {
         Route::resource('countries', CountryController::class);
@@ -22,7 +22,9 @@ Route::middleware([])
         Route::resource('cities', CityController::class);
         Route::resource('venues', VenueController::class);
         Route::get('highscores', [HighscoreController::class, 'index'])->name('highscores.index');
-        Route::post('highscores', [HighscoreController::class, 'store'])->name('highscores.store');
+        Route::post('highscores', [HighscoreController::class, 'store'])
+            ->middleware('throttle:10,1')
+            ->name('highscores.store');
         Route::get('nostrplebs', function () {
             return User::query()
                 ->select([
diff --git a/routes/web.php b/routes/web.php
index b2e3e82..e1909bd 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -43,12 +43,12 @@ Route::livewire('/kaninchenbau', FollowTheRabbit::class)
 
 // Generic image handler route that serves images from storage
 Route::get('/img/{path}', ImageController::class)
-    ->where('path', '.*')
+    ->where('path', '[A-Za-z0-9._\-/]+')
     ->name('img');
 
 // Public image handler route for serving public images
 Route::get('/img-public/{path}', ImageController::class)
-    ->where('path', '.*')
+    ->where('path', '[A-Za-z0-9._\-/]+')
     ->name('imgPublic');
 
 // Welcome page route using Volt component