Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

# Introduction
More than once in my career I've been asked to provision an EV certificate for web applications, and every single time I managed to get out of it, not because of laziness, but because of the security implications of these certificates. In short, they don't have any influence on security and cost a lot of money. Let's learn what EV certificates are and why you don't need to use one.

# What are Extended Validation certificates? 

Extended Validation certificates (EV) are a type of SSL certificate that aim to increase the users' security by performing additional verification before the issuance of the certificate. This additional level of scrutiny should, on paper, allow CAs to prevent bad actors from obtaining SSL certificates to be used for malicious purposes, a truly remarkable feat if it worked that way. There were some egregious cases instead, like the one where [a researcher named Ian Carrol was able to obtain an EV certificate for an entity named "Stripe, inc" from a CA](https://arstechnica.com/information-technology/2017/12/nope-this-isnt-the-https-validated-stripe-website-you-think-it-is/). Long story short, CAs are not able to guarantee an increased level of security for EV certificates.

# They made for pretty UI

If you're wondering why EV certificates are still used, let me give you a quick answer, under the false assumption of added security, EV certificates used to have a special UI in browsers, sort of a vanity feature CAs would charge an exorbitant amount of money for (in some cases more than $1,000 for a single-domain EV certificate). This is how an EV certificate would show up in the user's browser:



In this lesson, we'll learn what EV certificates are and why they aren't necessary.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

The Slow Death of EV Certificates

Introduction

What are Extended Validation certificates?