Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

# Why HTTP Public Key Pinning?
HTTP Public Key Pinning (abbr. HPKP) is a mechanism that allows us to advertise which SSL certificates to expect when a browser connects to our servers. It is a *trust on first use* header, just like HSTS, meaning that, once the client connects to our server, it will store the certificate's info for subsequent interactions.

If at any point in time the client detects that another certificate is being used by the server, it will politely refuse to connect, rendering *man in the middle* (MITM) attacks very hard to pull off.

This is what an HPKP policy looks like:

```text
Public-Key-Pins:
  pin-sha256="9yw7rfw9f4hu9eho4fhh4uifh4ifhiu=";
  pin-sha256="cwi87y89f4fh4fihi9fhi4hvhuh3du3=";
  max-age=3600; includeSubDomains;
  report-uri="https://pkpviolations.example.org/collect"
```

# HPKP is dangerous

The header advertises what certificates the server will use (in this case it's two of them) using a hash of the certificates. It includes additional information like the time-to-live of this directive (`max-age=3600`), and a few other details. Sadly, there's no point in digging deeper to understand what we can do with public key pinning, as [this feature is being deprecated by Chrome](https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ), a signal that its adoption is destined to plummet very soon.

Chrome's decision is not irrational, it is simply a consequence of the risks associated with public key pinning. If you lose your certificate, or simply make a mistake while testing, your website is gone for the duration of the `max-age` directive, which is typically weeks or months. As a result of these potentially catastrophic consequences, adoption of HPKP has been extremely low, and there have been incidents where big-time websites have been unavailable because of a misconfiguration. 

All things considered, Chrome decided users were better off without the protection offered by HPKP, and [security researchers aren't entirely against this decision](https://scotthelme.co.uk/im-giving-up-on-hpkp/).

> # ℹ️ HPKP gone wrong
> 
> Smashing Magazine, a leading website in the field of web design, documented its disastrous experience with HPKP in a [blog post](https://www.smashingmagazine.com/be-afraid-of-public-key-pinning/) in late 2016.
> 
> Long story short, the website was unavailable, due to a misconfiguration in their `Public-Key-Pins` header. When their SSL certificate expired, they had no way to issue a new certificate that would not violate their previously set HPKP policy. As a result, most of their users could not access the website for four days.
> 
> Moral of the story? HPKP is dangerous and even the best make mistakes.

---
While HPKP has been deprecated, a new header stepped in to prevent fraudulent SSL certificates from being served to clients, `Expect-CT`. Let's study it in the next lesson.

In this lesson, we'll study HTTP Public Key Pinning.


Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

HTTP Public Key Pinning

Why HTTP Public Key Pinning?