Did I understand REST principles correctly?

Based on what I've learned, the points below are not necessarily REST principles, and if they are not, then they are a consequence of this architectural approach. So, I need a single page web application with a RESTful backend. If I have done something wrong or acted irrationally, please correct me. Here's how I'll do it:

1. SSL
   
2. There are no sessions, and the corresponding logic is not provided on the backend.
   
3. After authorization, a token is issued.
   
   1. Which is allowed (?) to set the expiration date.
      
   2. Which is allowed to be written to a cookie for storage by the client,
      
   3. But which must be explicitly passed in every request that requires the appropriate permissions.
      
   4. Unlike the session, where data about the authorized user and God knows what else is written, the data remains where it should be - in the database (well, or in the query cache), and the token is the key to access this data.
      
4. Only the frontend can read and write cookies.
   
5. I need an ACL, and of course the server will be responsible for it, if necessary, denying the client the appropriate headers and message in the response body. The server receives the request and the token and determines the user's rights to the requested operation, applicable of course to the specified resource or instance.
   
6. In total, the backend logic consists only in interacting with the database and in the ACL, nothing more.
   
7. All business logic is at the front.
   
8. Maybe the frontend will store its state on its own if necessary, or maybe I'll just get by with caching HTTP requests at this point. But, in any case, caching should be (where it can be and is desirable).