diff --git a/app.js b/app.js
index 19f1ce97b2b..99b0d2d3efb 100644
--- a/app.js
+++ b/app.js
@@ -40,7 +40,7 @@ app.set('view engine', 'ejs');
 app.use(logger('dev'));
 app.use(methodOverride());
 app.use(session({
-  secret: 'keyboard cat',
+  // secret: 'keyboard cat',
   name: 'connect.sid',
   cookie: { path: '/' }
 }))
diff --git a/routes/index.js b/routes/index.js
index 17dc7dc23bc..4136c2f1e1b 100644
--- a/routes/index.js
+++ b/routes/index.js
@@ -34,6 +34,9 @@ exports.index = function (req, res, next) {
     });
 };
 
+// Insert new vulnerable code:
+/*
+
 exports.loginHandler = function (req, res, next) {
   if (validator.isEmail(req.body.username)) {
     User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
@@ -50,8 +53,8 @@ exports.loginHandler = function (req, res, next) {
     return res.status(401).send()
   }
 };
-// Insert new vuln
-/* 
+
+
 if (validator.isEmail(req.body.username)) {
   User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
     if (users.length > 0) {
@@ -203,6 +206,8 @@ exports.create = function (req, res, next) {
   });
 };
 
+// Insert new vulnerable code:
+/*
 exports.destroy = function (req, res, next) {
   Todo.findById(req.params.id, function (err, todo) {
 
@@ -243,7 +248,7 @@ exports.update = function (req, res, next) {
     });
   });
 };
-
+*/
 // ** express turns the cookie key to lowercase **
 exports.current_user = function (req, res, next) {