Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

## What is a bug bounty program?
A BBP is a call for help from an organization, reaching out to security researchers worldwide. The organization lays out the scope and terms of the program, fundamentally allowing security researchers to probe their systems and software in exchange for a financial reward.

If researchers find a vulnerability in an application, they can submit it and, if the organization finds the submission acceptable, receive a bounty as a reward.

## What is a valid submission?
It is worth noting that there is no general definition of what makes a submission acceptable, as each program has different rules and terms for valid submissions. For example, Google has a program named *"Google Vulnerability Reward Program (VRP) Rules"* which states valid reports could include:

* Cross-site scripting
* Cross-site request forgery
* Mixed-content scripts
* Authentication or authorization flaws
* Server-side code execution bugs

While it unequivocally states exclusions, which are alleged vulnerabilities that do not qualify as valid submissions, meaning researchers will be turned down when submitting them. Some examples include vulnerabilities in `*.bc.googleusercontent.com` or `*.appspot.com` as well as flaws affecting the users of out-of-date browsers and plugins.

Google goes beyond simply listing the exclusions, as it also provides the reasoning behind their choice. For example, vulnerabilities in `*.bc.googleusercontent.com` are excluded because, "*these domains are used to host applications that belong to Google Cloud customers. The Vulnerability Reward Program does not authorize the testing of Google Cloud customer applications. Google Cloud customers can authorize the penetration testing of their own applications, but testing of these domains is not within the scope of or authorized by the Vulnerability Reward Program*."



# What is a bug bounty program?
A BBP is a call for help from an organization, reaching out to security researchers worldwide. The organization lays out the scope and terms of the program, fundamentally allowing security researchers to probe their systems and software in exchange for a financial reward.

If researchers find a vulnerability in an application, they can submit it and, if the organization finds the submission acceptable, receive a bounty as a reward.

# What is a valid submission?
It is worth noting that there is no general definition of what makes a submission acceptable, as each program has different rules and terms for valid submissions. For example, Google has a program named *"Google Vulnerability Reward Program (VRP) Rules"* which states valid reports could include:

* Cross-site scripting
* Cross-site request forgery
* Mixed-content scripts
* Authentication or authorization flaws
* Server-side code execution bugs

While it unequivocally states exclusions, which are alleged vulnerabilities that do not qualify as valid submissions, meaning researchers will be turned down when submitting them. Some examples include vulnerabilities in `*.bc.googleusercontent.com` or `*.appspot.com` as well as flaws affecting the users of out-of-date browsers and plugins.

Google goes beyond simply listing the exclusions, as it also provides the reasoning behind their choice. For example, vulnerabilities in `*.bc.googleusercontent.com` are excluded because, "*these domains are used to host applications that belong to Google Cloud customers. The Vulnerability Reward Program does not authorize the testing of Google Cloud customer applications. Google Cloud customers can authorize the penetration testing of their own applications, but testing of these domains is not within the scope of or authorized by the Vulnerability Reward Program*."



In this lesson, we'll study what a bug bounty program looks like.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

Deploy an API to Production Using Nginx

What's in a Program?

What is a bug bounty program?

What is a valid submission?