Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

## It's better to be safe than sorry
Remember, being paranoid might trigger a scoff or an eye-roll from one of your colleagues, but don't let that deter you from doing your job and making sure the correct precautions are in place.

Some users do not appreciate enforcing 2FA on their account, or might not like to CC their manager in an email to get an approval, but your job is to make sure the ship is tight and secure, even if that means having to implement some annoying checks along the way. 

## An example

I still remember being locked out of an AWS account (I stupidly let my password expire) and having to ask our Lead System Administrator for a password reset with an email along the lines of "*Hi X, I'm locked out of my AWS account, can you reset my password and share a new, temporary one here?*"

The response? A message on WhatsApp:



# It's better to be safe than sorry
Remember, being paranoid might trigger a scoff or an eye-roll from one of your colleagues, but don't let that deter you from doing your job and making sure the correct precautions are in place.

Some users do not appreciate enforcing 2FA on their account, or might not like to CC their manager in an email to get an approval, but your job is to make sure the ship is tight and secure, even if that means having to implement some annoying checks along the way. 

# An example

I still remember being locked out of an AWS account (I stupidly let my password expire) and having to ask our Lead System Administrator for a password reset with an email along the lines of "*Hi X, I'm locked out of my AWS account, can you reset my password and share a new, temporary one here?*"

The response? A message on WhatsApp:



In this lesson, we'll learn that it's better to be overly cautious than to risk a security breach.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

Deploy an API to Production Using Nginx

Paranoid Mode: On

It’s better to be safe than sorry