Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.

new.tar.gz

node

cookies

hsts

hsts-https

cookies-https

clickjacking

cors

There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.

In this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. 

In the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.

This course will demystify web security, and help you stay on top of important security-related concerns in your web apps.

Web Application Security for the Everyday Software Engineer

## Introduction
Although superseded by CSP, the `X-XSS-Protection` header provides a similar type of protection. Unsupported by Firefox, this header is used to mitigate XSS attacks in older browsers that don't fully support CSP.

The syntax is very similar to what we've just seen.

```text
X-XSS-Protection: 1; report=http://xssviolations.example.com/collector
```
## Trying it out

Reflected XSS is the most common type of attack, where an unsanitized input is printed by the server without any validation. Here is where this header truly shines. **If you have an older version of Chrome (77 or below)** and want to see this in action, I would recommend trying out the example below, by appending `xss=on` to the generated URL. It shows what a browser does when XSS protection is turned on. 

> This will not work with newer versions of Chrome



# Introduction
Although superseded by CSP, the `X-XSS-Protection` header provides a similar type of protection. Unsupported by Firefox, this header is used to mitigate XSS attacks in older browsers that don't fully support CSP.

The syntax is very similar to what we've just seen.

```text
X-XSS-Protection: 1; report=http://xssviolations.example.com/collector
```
# Trying it out

Reflected XSS is the most common type of attack, where an unsanitized input is printed by the server without any validation. Here is where this header truly shines. **If you have an older version of Chrome (77 or below)** and want to see this in action, I would recommend trying out the example below, by appending `xss=on` to the generated URL. It shows what a browser does when XSS protection is turned on. 

> This will not work with newer versions of Chrome



In this lesson, we'll study how the X-XSS-Protection header can be used to mitigate XSS attacks.

Introduction

Understanding The Browser

HTTP

Protection through HTTP Headers

HTTP Cookies

Situationals

DDoS Attacks

Bug Bounty Programs

Conclusion

Deploy an API to Production Using Nginx

X-XSS-Protection

Introduction

Trying it out