password

passwordHash

Gain insights into securing Node.js applications: sanitize inputs, use HTTPS, encryption, explore authentication, access control, and protect against XSS, CSRF, and popular hacks.

Working_SNA_Docker.tar.gz

psql

psql-copy

run_spa

run_spa_node

run_spa_hash

compose

compose-copy

compose-copy-copy

run_spa-copy

app-demo-psql

This course is your guide for securing Node.js applications. You'll start by properly sanitizing user input and output, and then move on to some fundamental protocols, such as HTTPS and SHA. Passwords and encryption will be discussed next. More specifically, you will learn about different hashing algorithms and protecting your application from brute force attacks.

Following that, you'll explore concepts like authentication, access control, and obfuscation. You will also learn about XSS, CSRF, and other popular hacks near the end of the course.

By the end of this course, you will know how to secure a Node.js application, an in-demand skill to put on your resume!

A Guide to Securing Node.js Applications

## Storytime
Once again, it’s time for a story. In October 2010, Eric Butler released a Firefox extension named Firesheep to highlight a huge, but under-recognized, problem. Firesheep allowed any user to watch the non-encrypted traffic on their local network, even hijack another user’s session. Firesheep exploited a type of man-in-the-middle attack: **sidejacking**.  Sound scary?  It should because it is. Let's walk through an illustration to make a point.

> Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites.

Take a second and think of the trouble Jane can cause John. She has access to many private things and could cause chaos by messing with his emails.

This is sidejacking. This type of exploit, session hijacking via unencrypted network traffic, has always been possible by skilled users. With the release of Firesheep, anyone had the ability to sidejack with just the click of a button.

While you go download Firesheep, ( yeah, that's right, I know what you're doing 😈 ), you might be thinking that this is a horrible thing to happen.  However, Firesheep caused web companies to finally take HTTPS seriously. Gmail, Facebook, and Twitter now all default to using HTTPS throughout their entire site. Previously, the standard was to encrypt only login pages. This secured the user’s login credentials but left their current session open to hijacking, as in our example above.

## What is HTTPS?
Regular web traffic is transferred over HTTP. When you type "http://www.google.com" into your browser, you use HTTP! Notice the **"http://"** at the beginning of the URL. Regular HTTP traffic uses port 80. HTTPS, on the other hand, uses port 443.  HTTP is not secure; everything you do can be seen by others. HTTPS is “HTTP Secure” or “HTTP on SSL.” HTTP needs SSL to be secure.

For the purposes of this course, I’m going to cover HTTPS functions at a very high level.

# Storytime
Once again, it’s time for a story. In October 2010, Eric Butler released a Firefox extension named Firesheep to highlight a huge, but under-recognized, problem. Firesheep allowed any user to watch the non-encrypted traffic on their local network, even hijack another user’s session. Firesheep exploited a type of man-in-the-middle attack: **sidejacking**.  Sound scary?  It should because it is. Let's walk through an illustration to make a point.

> Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites.

Take a second and think of the trouble Jane can cause John. She has access to many private things and could cause chaos by messing with his emails.

This is sidejacking. This type of exploit, session hijacking via unencrypted network traffic, has always been possible by skilled users. With the release of Firesheep, anyone had the ability to sidejack with just the click of a button.

While you go download Firesheep, ( yeah, that's right, I know what you're doing 😈 ), you might be thinking that this is a horrible thing to happen.  However, Firesheep caused web companies to finally take HTTPS seriously. Gmail, Facebook, and Twitter now all default to using HTTPS throughout their entire site. Previously, the standard was to encrypt only login pages. This secured the user’s login credentials but left their current session open to hijacking, as in our example above.

# What is HTTPS?
Regular web traffic is transferred over HTTP. When you type "http://www.google.com" into your browser, you use HTTP! Notice the **"http://"** at the beginning of the URL. Regular HTTP traffic uses port 80. HTTPS, on the other hand, uses port 443.  HTTP is not secure; everything you do can be seen by others. HTTPS is “HTTP Secure” or “HTTP on SSL.” HTTP needs SSL to be secure.

For the purposes of this course, I’m going to cover HTTPS functions at a very high level.

Introduction

Never Trust Your Users. Sanitize ALL Input!

HTTPS and Other Random Letters

Password Encryption and Storage for Everyone

Authentication, Access Control, and Safe File Handling

Safe Defaults, Cross Site Scripting, and Other Popular Hacks

Introduction

Storytime