Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

## Using incremental session IDs is a bad choice
It should go without saying, but your session IDs (often stored in cookies) should not resemble a known pattern or be generally guessable. Using an auto-incrementing sequence of integers as IDs would be a terrible choice, as an attacker could just log in, receive the session ID `X` and then replace it with `X ± N`, where `N` is a small number to increase chances of that being an identifier of a recent, valid session.

## Generating secure IDs
The simplest choice would be to use a cryptographically secure function that generates a random string. This is usually not a hard task to accomplish. Let's take the [Beego](https://github.com/astaxie/beego) framework, very popular among Golang developers, as an example; the function that generates session IDs is 



# Using incremental session IDs is a bad choice
It should go without saying, but your session IDs (often stored in cookies) should not resemble a known pattern or be generally guessable. Using an auto-incrementing sequence of integers as IDs would be a terrible choice, as an attacker could just log in, receive the session ID `X` and then replace it with `X ± N`, where `N` is a small number to increase chances of that being an identifier of a recent, valid session.

# Generating secure IDs
The simplest choice would be to use a cryptographically secure function that generates a random string. This is usually not a hard task to accomplish. Let's take the [Beego](https://github.com/astaxie/beego) framework, very popular among Golang developers, as an example; the function that generates session IDs is 



In this lesson, we'll see how secure session IDs are generated.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

Deploy an API to Production Using Nginx

Generating Session IDs

Using incremental session IDs is a bad choice