Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

# Why `Expect-CT`?
The goal of `Expect-CT` is to inform the browser that it should perform additional background checks to ensure the certificate is genuine. When a server uses the `Expect-CT` header, it is requesting the client to verify that the certificates being used are present in public Certificate Transparency (CT) logs.

The Certificate Transparency initiative is an effort led by Google in order to:

> *[provide] an open framework for monitoring and auditing SSL certificates in nearly real time.*
>
> *Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.*
>
> **certificate-transparency.org**

Note that a rogue server wouldn't set the expect-ct header, putting themselves on the line. A genuine server can ask clients to opt-in with all subsequent requests to be validated with CT moving forward. If the client gets tricked into connecting to a malicious server, the attack will never work as the SSL certificate won't pass the CT validation.


# Sample header
The header takes this form:

```text
Expect-CT: max-age=3600, enforce, report-uri="https://ct.example.com/report"
```

In this example, the server is asking the browser to:

* enable CT verification for the current app for a period of one hour (3600 seconds)
* `enforce` this policy and prevent access to the app if a violation occurs
* send a report to the given URL if a violation occurs

The Certificate Transparency initiative's goal is to detect erroneously issued or malicious certificates (including rogue Certificate Authorities) earlier, faster, and more precisely than any other method before. By opting-in using the `Expect-CT` header, you can take advantage of this initiative to improve your app's security posture.

---
In the next lesson, we'll study `X-Frame-Options` which are meant to circumvent clickjacking attacks.


In this lesson, we'll study the Expect-CT header.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

Expect-CT

Why `Expect-CT`?

Expect-CT

Why Expect-CT?

Why `Expect-CT`?