password

passwordHash

Gain insights into securing Node.js applications: sanitize inputs, use HTTPS, encryption, explore authentication, access control, and protect against XSS, CSRF, and popular hacks.

Working_SNA_Docker.tar.gz

psql

psql-copy

run_spa

run_spa_node

run_spa_hash

compose

compose-copy

compose-copy-copy

run_spa-copy

app-demo-psql

This course is your guide for securing Node.js applications. You'll start by properly sanitizing user input and output, and then move on to some fundamental protocols, such as HTTPS and SHA. Passwords and encryption will be discussed next. More specifically, you will learn about different hashing algorithms and protecting your application from brute force attacks.

Following that, you'll explore concepts like authentication, access control, and obfuscation. You will also learn about XSS, CSRF, and other popular hacks near the end of the course.

By the end of this course, you will know how to secure a Node.js application, an in-demand skill to put on your resume!

A Guide to Securing Node.js Applications

## What is a hash?
First, we need to cover the basics. Hashing is not encryption. A hashing function calculates a fixed-size string from an input. Passwords should be one-way hashed. This means they are impossible to decrypt, making them “one-way.” There is never a need to display a password back to a user or admin. Once a password is entered, it becomes a hash that can be recreated only when the original password is given as input.

## Popular attacks
Before discussing any further, let's delve into popular attacks against hashing algorithms.

### Lookup tables
A lookup table is a table of hashes where the password is known.  It can be as simple as this:

```
password | hash
------------------------
pass1    | bidfb2enkjnf
pass2    | psdfnojn3nod
etc...
```
This is then compared against the password hashes in your database to determine the used password. This attack is useless if you are using random salts, but it’s easy if the hashes aren’t salted.


### Rainbow tables
A rainbow table is technically more sophisticated but similar to a lookup table. It is a less memory-intensive way of achieving a lookup table through mathematical means. You can think of them interchangeably when mentioned here. Rainbow tables are also thwarted by random salts, so they are less relevant due to the onset of modern hashing algorithms.

A rainbow tables attack is a very complex exploit that is really out of the scope of this course to explain.  If you want to learn more, you can read the [original paper](http://www-ee.stanford.edu/~hellman/publications/36.pdf) published by Martin Hellman that introduces the concept. 

# What is a hash?
First, we need to cover the basics. Hashing is not encryption. A hashing function calculates a fixed-size string from an input. Passwords should be one-way hashed. This means they are impossible to decrypt, making them “one-way.” There is never a need to display a password back to a user or admin. Once a password is entered, it becomes a hash that can be recreated only when the original password is given as input.

# Popular attacks
Before discussing any further, let's delve into popular attacks against hashing algorithms.

## Lookup tables
A lookup table is a table of hashes where the password is known.  It can be as simple as this:

```
password | hash
------------------------
pass1    | bidfb2enkjnf
pass2    | psdfnojn3nod
etc...
```
This is then compared against the password hashes in your database to determine the used password. This attack is useless if you are using random salts, but it’s easy if the hashes aren’t salted.


## Rainbow tables
A rainbow table is technically more sophisticated but similar to a lookup table. It is a less memory-intensive way of achieving a lookup table through mathematical means. You can think of them interchangeably when mentioned here. Rainbow tables are also thwarted by random salts, so they are less relevant due to the onset of modern hashing algorithms.

A rainbow tables attack is a very complex exploit that is really out of the scope of this course to explain.  If you want to learn more, you can read the [original paper](http://www-ee.stanford.edu/~hellman/publications/36.pdf) published by Martin Hellman that introduces the concept. 

Introduction

Never Trust Your Users. Sanitize ALL Input!

HTTPS and Other Random Letters

Password Encryption and Storage for Everyone

Authentication, Access Control, and Safe File Handling

Safe Defaults, Cross Site Scripting, and Other Popular Hacks

Hashes

What is a hash?

Popular attacks

Lookup tables