    Gain insights into HTTP security headers, learn their risks, explore solutions, and discover how to implement them using Helmet for enhanced web application security.

HSTS_brew_final.tar.gz

Chrome

run_mal

Chrome_hsts

Chrome_hsts-mkcert

debug

Chrome_hsts-mal

Chrome_hsts-inn

This course teaches you hands-on practical use of HTTP security headers as browser security controls to help secure web applications.

For each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well maintained Node.js package on npm.

Web Application Security: Understanding HTTP Security Headers

This learning experience isn't intended to  be a comprehensive list of all available security headers. You should instead refer to other web resources such as [Mozilla's Developer Network](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) and the [W3C specs](https://www.w3.org/standards/) to keep up to date.

In particular, I recommend the following topics to help you add relevant context and gain an edge in understanding web security:

* Cross-Origin topics, particularly [Cross-Origin-Resource-Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).
* [Sub-resource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) policies.
* [Cross-site Request Forgery](https://infosec.mozilla.org/guidelines/web_security#csrf-prevention) and related forms of tokenization.
* Understanding how [Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) work and spec updates such as `SameSite` attribute.


The following provides a list of resources to extend your knowledge beyond all that we learned in this course.

Introduction

HTTP Security Headers

Testing for Security Headers

What's Next?

Educational resources