Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

# Introduction
The `security.txt` is a proposed standard to advertise the security policies of a website. In other words, it allows us to publish a file that informs researchers about the existence and terms of your BBP.

A valid example of `security.txt` file could look like this:

```text
Contact: mailto:security@example.com
Preferred-Languages: en
Canonical: https://example.com/security.txt
Policy: https://example.com/bug-bounty-program.html
Hiring: https://example.com/careers.html
Acknowledgments: https://example.com/hall-of-fame.html
```

It's a simple, plaintext file listing information for security researchers: 

- The contact section will state how a researcher should get in touch with the organization.
- The preferred languages section will state what language to use.
- The policy section will lead to the full-blown version of the BBP, where the researcher can better understand what the rules of engagement are. 

Additional sections, such as a link to security-related job openings at your company and acknowledgements to ethical hackers who have helped the organization in the past, make for additional, complementary pieces of information that researchers might find useful. 

You can read more about the standard at [securitytxt.org](https://securitytxt.org); for an example file, visit [facebook.com/security.txt](https://www.facebook.com/security.txt)

Having a `security.txt` allows researchers to find more about your BBP with a standardized process, something that saves them precious time. Remember, ethical hackers are on the hunt for security programs with limited time on their hands and, for many of them, bounties are a significant source of income. Making sure they can easily understand how your program works is an effective incentive to attract them towards your web applications.

---
We'll learn about HackerOne in the next lesson.

In this lesson, we'll learn about security.txt.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

Security.txt

Introduction