Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

# MIME-sniffing
Sometimes, clever browser features end up hurting us from a security standpoint. One example is MIME-sniffing, a technique popularized by Internet Explorer.

MIME-sniffing is the ability for a browser to auto-detect (and fix) the content type of a resource it is downloading. Say for example, we ask the browser to render an image at `/awesome-picture.png`, but the server sets the wrong type when serving it to the browser (ie. `Content-Type: text/plain`), this would generally result in the browser not being able to display the image properly.

In order to fix the issue, IE went to great lengths to implement a MIME-sniffing capability. When downloading a resource, the browser would scan it and if it detected that the resource's content type is not the one advertised by the server in the `Content-Type` header, it would ignore the type sent by the server and interpret the resource according to the type detected by the browser.

# The catch

Now, imagine hosting a website that allows users to upload their own images, and imagine a user uploading a `/test.jpg` file that contains JavaScript code. See where this is going? Once the file is uploaded, the site would include it in its own HTML and, when the browser would try to render the document, it would find the image the user just uploaded. As the browser downloads the image, it would detect that it's a script instead, and execute it on the victim's browser.

# The fix

To avoid this issue, we can set the `X-Content-Type-Options: nosniff` header that completely disables MIME-sniffing. By doing so, we are telling the browser that we're fully aware that some file might have a mismatch in terms of type and content, and the browser should not worry about it, we know what we're doing, so the browser shouldn't try to guess things, potentially posing a security threat to our users.

---
In the next lesson, we'll study cross origin resource sharing.

In this lesson, we'll see how 'MIME-sniffing' introduced a vulnerability and how to use the X-Content-Type-Options header to avoid it.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

X-Content-Type-Options

MIME-sniffing