Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

# Denylisting
When implementing systems that require discarding elements based on an input (e.g., rejecting requests based on an IP address or a comment based on certain words) you might be tempted to use a denylist in order to filter elements out.

## The problem with denylisting
The inherent problem with denylisting is the approach we're taking. It allows us to specify which elements we think are unsafe, making the assumption that we know everything that could hurt us. From a security perspective, that's the equivalent of us wearing summer clothes because we're well into June, without looking out the window in order to make sure it's actually sunny. We make assumptions without having the whole picture, and it could hurt us.

If you were thinking of filtering out comments based on a denylist of words, you would probably start by describing a denylist of five to ten words. When coming up with the list you might forget words such as *j3rk*, or reject genuine comments mentioning "[Dick Bavetta](https://en.wikipedia.org/wiki/Dick_Bavetta)", a retired NBA referee.

Now, comments aren't always the most appropriate example in terms of security, but you get the gist of what we're talking about. It's hard to know everything that's going to hurt us well in advance, so allowlisting is generally a more cautious approach, allowing us to specify what input we trust.

# A practical example

A more practical example would be logging. You will want to allowlist what can be logged rather than the opposite. Take an example object such as:

```js
{
    email: "lebron@james.com",
    password: "King_James",
    credit_card: "1111 2222 3333 4444",
    birthday: "1984-12-30",
}
```

You could possibly create a denylist that includes `password` and `credit_card`, but what would happen when another engineer in the team changes fields from snake_case to camelCase?

Our object would become:

```js
{
    email: "lebron@james.com",
    password: "King_James",
    creditCard: "1111 2222 3333 4444",
    birthday: "1984-12-30",
}
```

You might end up forgetting to update your denylist, leading to the credit card number of your customers being leaked all over your logs.

# Denylisting vs allowlisting

As you've probably realized, the choice of utilizing a denylist or a allowlist depends on the context you're operating in. If you're exposing a service on the internet (such as facebook.com), then denylisting is definitely not going to work, as that would mean knowing the IP address of every genuine visitor, which is impossible.

From a security perspective, allowlisting is a better approach but is often impractical. Choose your strategy carefully after reviewing both options, none of the above is suitable without prior knowledge of your system, constraints and requirements.

---
In the next lesson, we'll study some logging secrets.

In this lesson, we'll study denylisting and allowlisting.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

Denylisting vs. Allowlisting

Denylisting

The problem with denylisting