10:[["$","$L2a",null,{"props":{"lessonContent":{"components":[{"type":"MarkdownEditor","content":{"version":"2.0","text":"This learning experience isn't intended to be a comprehensive list of all available security headers. You should instead refer to other web resources such as [Mozilla's Developer Network](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) and the [W3C specs](https://www.w3.org/standards/) to keep up to date.\n\nIn particular, I recommend the following topics to help you add relevant context and gain an edge in understanding web security:\n\n* Cross-Origin topics, particularly [Cross-Origin-Resource-Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).\n* [Sub-resource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) policies.\n* [Cross-site Request Forgery](https://infosec.mozilla.org/guidelines/web_security#csrf-prevention) and related forms of tokenization.\n* Understanding how [Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) work and spec updates such as `SameSite` attribute.\n","mdHtml":"

This learning experience isn’t intended to be a comprehensive list of all available security headers. You should instead refer to other web resources such as ...

","cursorPosition":473,"comp_id":"xV3qcag-vDit7mykX6mZb"},"iteration":10,"hash":1,"saveVersion":16}],"summary":{"titleUpdated":true,"description":"The following provides a list of resources to extend your knowledge beyond all that we learned in this course."},"content":[{"type":"MarkdownEditor","content":{"version":"2.0","text":"This learning experience isn't intended to be a comprehensive list of all available security headers. You should instead refer to other web resources such as [Mozilla's Developer Network](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) and the [W3C specs](https://www.w3.org/standards/) to keep up to date.\n\nIn particular, I recommend the following topics to help you add relevant context and gain an edge in understanding web security:\n\n* Cross-Origin topics, particularly [Cross-Origin-Resource-Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).\n* [Sub-resource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) policies.\n* [Cross-site Request Forgery](https://infosec.mozilla.org/guidelines/web_security#csrf-prevention) and related forms of tokenization.\n* Understanding how [Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) work and spec updates such as `SameSite` attribute.\n","mdHtml":"

This learning experience isn’t intended to be a comprehensive list of all available security headers. You should instead refer to other web resources such as ...

","cursorPosition":473,"comp_id":"xV3qcag-vDit7mykX6mZb"},"iteration":10,"hash":1,"saveVersion":16}],"darkModeContent":[{"type":"MarkdownEditor","content":{"version":"2.0","text":"This learning experience isn't intended to be a comprehensive list of all available security headers. You should instead refer to other web resources such as [Mozilla's Developer Network](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) and the [W3C specs](https://www.w3.org/standards/) to keep up to date.\n\nIn particular, I recommend the following topics to help you add relevant context and gain an edge in understanding web security:\n\n* Cross-Origin topics, particularly [Cross-Origin-Resource-Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).\n* [Sub-resource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) policies.\n* [Cross-site Request Forgery](https://infosec.mozilla.org/guidelines/web_security#csrf-prevention) and related forms of tokenization.\n* Understanding how [Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) work and spec updates such as `SameSite` attribute.\n","mdHtml":"

This learning experience isn’t intended to be a comprehensive list of all available security headers. You should instead refer to other web resources such as ...

","cursorPosition":473,"comp_id":"xV3qcag-vDit7mykX6mZb"},"iteration":10,"hash":1,"saveVersion":16}]},"isPreviewLesson":false,"pageType":"collection_lesson","aiCoachVideoUrl":"https://youtu.be/kgl8y9J3O6c","collectionDetailsSSR":{"title":"Web Application Security: Understanding HTTP Security Headers","summary":"This course teaches you hands-on practical use of HTTP security headers as browser security controls to help secure web applications.\n\nFor each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well maintained Node.js package on npm.","details":"","clos":["Establishing secure web applications using HTTP security headers","Understanding Content Security Policy","Configuring Node.js web applications securely","Learning how to test and monitor for security headers and vulnerable JavaScript libraries","Roadmap for next steps in web controls and security headers spec"],"toc":{"categories":[{"id":"oxxr6pl5m","title":"Introduction","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"Requirements","is_preview":true,"parentIndex":null,"type":"collection_lesson","id":5066286703837184,"slug":"requirements"},{"is_recovered":false,"editMode":false,"title":"Headers as Browser Security Controls","is_preview":false,"parentIndex":null,"id":5380882287296512,"type":"collection_lesson","slug":"headers-as-browser-security-controls"},{"is_recovered":false,"editMode":false,"title":"Helmet - a Node.js Package for HTTP Security Headers","is_preview":false,"parentIndex":null,"id":4983703055892480,"type":"collection_lesson","slug":"helmet-a-nodejs-package-for-http-security-headers"}],"summary":"Get familiar with HTTP security headers, browser controls, essential tools, and the Helmet package."},{"id":"9rqjhgniv","title":"HTTP Security Headers","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"HTTP Strict Transport Security","is_preview":false,"parentIndex":null,"id":5283608609685504,"type":"collection_lesson","slug":"http-strict-transport-security"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"X Frame Options","parentIndex":null,"id":4898570479075328,"type":"collection_lesson","slug":"x-frame-options"},{"is_recovered":false,"editMode":false,"is_preview":true,"title":"Content Security Policy","parentIndex":null,"id":6200548022812672,"type":"collection_lesson","slug":"content-security-policy"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"X XSS Protection","parentIndex":null,"id":5226340774051840,"type":"collection_lesson","slug":"x-xss-protection"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"X Content Type Options","parentIndex":null,"id":5904274870501376,"type":"collection_lesson","slug":"x-content-type-options"},{"is_recovered":false,"editMode":false,"title":"Referer and Referrer Policy","is_preview":false,"parentIndex":null,"type":"collection_lesson","id":5242468342693888,"slug":"referer-and-referrer-policy"}],"summary":"Discover the logic behind HTTP security headers, their implementations, and their roles in web protection."},{"id":"x3putqd79","title":"Testing for Security Headers","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"is_preview":true,"title":"The State of HTTP Security","parentIndex":null,"type":"collection_lesson","id":6009839152005120,"slug":"the-state-of-http-security"},{"is_recovered":false,"editMode":false,"title":"WebPageTest","is_preview":false,"parentIndex":null,"type":"collection_lesson","id":5342363586134016,"slug":"webpagetest"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Chrome's Lighthouse","parentIndex":null,"type":"collection_lesson","id":6590089602793472,"slug":"chromes-lighthouse"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Check My Headers command-line application","parentIndex":null,"type":"collection_lesson","id":4875675728084992,"slug":"check-my-headers-command-line-application"},{"is_recovered":false,"editMode":false,"is_preview":true,"page_id":4593038314700800,"title":"Summary","parentIndex":null,"collection_id":6214384662609920,"author_id":6369210000211968,"type":"collection_lesson","id":4593038314700800,"slug":"summary"}],"summary":"Work your way through testing web application security headers with WebPageTest, Lighthouse, and Check My Headers."},{"id":"d41xp3ivq","title":"What's Next?","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"Establish a CSP and Security Headers standard","is_preview":false,"parentIndex":null,"type":"collection_lesson","id":6165492524908544,"slug":"establish-a-csp-and-security-headers-standard"},{"is_recovered":false,"editMode":false,"title":"Monitor your web application","is_preview":false,"parentIndex":null,"type":"collection_lesson","id":5759911750270976,"slug":"monitor-your-web-application"},{"is_recovered":false,"editMode":false,"title":"Other browser security headers and controls","is_preview":false,"parentIndex":null,"type":"collection_lesson","id":6105410764275712,"slug":"other-browser-security-headers-and-controls"},{"is_recovered":false,"editMode":false,"title":"Educational resources","type":"collection_lesson","is_preview":false,"parentIndex":null,"collection_id":6214384662609920,"author_id":6369210000211968,"page_id":4819951587164160,"id":4819951587164160,"slug":"educational-resources"}],"summary":"Grasp the fundamentals of establishing CSPs, monitoring security, evolving headers, and additional learning resources."}]},"page_titles":{"6590089602793472":"Chrome's Lighthouse","5904274870501376":"X Content Type Options","4983703055892480":"Helmet - a Node.js Package for HTTP Security Headers","5759911750270976":"Monitor your web application","5342363586134016":"WebPageTest","4875675728084992":"Check My Headers command-line application","5226340774051840":"X XSS Protection","5242468342693888":"Referer and Referrer Policy","6165492524908544":"Establish a CSP and Security Headers standard","4593038314700800":"Summary","6200548022812672":"Content Security Policy","4898570479075328":"X Frame Options","5283608609685504":"HTTP Strict Transport Security","5380882287296512":"Headers as Browser Security Controls","5066286703837184":"Requirements","6105410764275712":"Other browser security headers and controls","6009839152005120":"The State of HTTP Security","4819951587164160":"Educational resources"},"page_tags":{"6590089602793472":"lighthouse,testing,security","5904274870501376":"","4983703055892480":"helmet,node.js,npm package","5759911750270976":"monitoring,webapp,security","5342363586134016":"webpagetest,security testing,performance testing","5283608609685504":"http,hsts,ssl","5226340774051840":"XSS,Internet Explorer,IE8","5242468342693888":"referrer,referer","6165492524908544":"http headers,migration,security controls","4593038314700800":"security testing,build","6200548022812672":"content-security-policy,CSP,browser security control","4898570479075328":"x-frame-options,iframe","4875675728084992":"","5380882287296512":"security headers,browser","5066286703837184":"heroku,git,Node.js","6105410764275712":"privacy,web spec","6009839152005120":"https,ssl,certificate","4819951587164160":""},"collection_toc_is_enabled":true,"page_count":null,"docker":{"envs":[],"container":{"buildLogUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/build/log","imageName":"author-6369210000211968-collection-6214384662609920-rev-18-container-6489644251742208-hsts_brew_final","file":{"name":"HSTS_brew_final.tar.gz","size":3786},"buildStatusUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/build/status","metadata":{"sizeInBytes":3786},"id":-1,"tarballDownloadUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/download","rebuildImageUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/rebuild","buildStatus":"SUCCESS","track":false},"version":3,"jobs":[{"key":"a_MUGE4NbOlaY1R80eVnq","name":"Chrome","inputFileName":"foo","runScript":"export DISPLAY=:1.0;\nuseradd -m chromeuser;\ngoogle-chrome --no-sandbox","jobType":"GUI","forceRelaunchOnRun":false,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"pNaYJBC234v_1Ik9zvHvR","name":"run_mal","inputFileName":"foo","runScript":"cp -r /usercode /Educative/nodejssecurity-headers-xframe-malicious","ports":"3000","startScript":"cp -r /usercode /Educative/nodejssecurity-headers-xframe-malicious\ncd /Educative/nodejssecurity-headers-xframe-innocent\nnohup npm start > /dev/null 2>&1 &\ncd /Educative/nodejssecurity-headers-xframe-malicious\nnpm start","jobType":"Live","https":false,"forceRelaunchOnRun":false,"runInLiveContainer":true},{"key":"B4OpzciNNzoW6GWc3kyco","name":"Chrome_hsts","inputFileName":"foo","runScript":"cd /Educative/nodejssecurity-headers-hsts/ \nnohup npm start > /dev/null 2>&1 &\nexport DISPLAY=:1.0;\ngoogle-chrome --no-sandbox","jobType":"GUI","forceRelaunchOnRun":false,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"dU2L1rfdPvznHh13PnpKj","name":"Chrome_hsts-mkcert","inputFileName":"foo","runScript":"nohup google-chrome --no-sandbox --disable-gpu --disable-software-rasterizer > /dev/null 2>&1 &\nsleep 3\npkill chrome\neval \"$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)\"\nmkcert -install\nclear\ntmux \\new-session \"cd /Educative/nodejssecurity-headers-hsts && npm start ; read\" \\; split-window \"export DISPLAY=:1.0 && google-chrome http://localhost:80 https://localhost:443 --no-sandbox --disable-gpu --disable-software-rasterizer; read\" \\; select-layout even-horizontal","jobType":"GUI","forceRelaunchOnRun":true,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"2w6T32N3QuP0T1PMoNOfc","name":"debug","inputFileName":"foo","runScript":"echo \"hi\"","ports":"3000","startScript":"echo \"hi\"","jobType":"Live","forceRelaunchOnRun":true,"runInLiveContainer":true},{"key":"Zg9nqvQXGGJuTurEHh_rc","name":"Chrome_hsts-mal","inputFileName":"foo","runScript":"cp -r /usercode/* /Educative/nodejssecurity-headers-xframe-malicious\ncd /Educative/nodejssecurity-headers-xframe-innocent\nnohup npm start > /dev/null 2>&1 &\ntmux \\new-session \"cd /Educative/nodejssecurity-headers-xframe-malicious && npm start ; read\" \\; split-window \"export DISPLAY=:1.0 && google-chrome http://localhost:3000 --no-sandbox --disable-gpu --disable-software-rasterize; read\" \\; select-layout even-horizontal","jobType":"GUI","forceRelaunchOnRun":true,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"voswksFkoJ7OwojQq8wP_","name":"Chrome_hsts-inn","inputFileName":"foo","runScript":"cp -r /usercode/* /Educative/nodejssecurity-headers-xframe-innocent\ncd /Educative/nodejssecurity-headers-xframe-innocent\nnohup npm start > /dev/null 2>&1 &\ntmux \\new-session \"cd /Educative/nodejssecurity-headers-xframe-malicious && npm start ; read\" \\; split-window \"export DISPLAY=:1.0 && google-chrome http://localhost:3000 http://localhost:3001 --no-sandbox --disable-gpu --disable-software-rasterize; read\" \\; select-layout even-horizontal","jobType":"GUI","forceRelaunchOnRun":true,"forceRelaunchOnCompChange":true,"runInLiveContainer":false}],"loaded":true},"discounted_price":null,"cover_image_id":6163948040093696,"cover_image_metadata":"{\"width\":1024,\"height\":512,\"sizeInBytes\":49566,\"name\":\"Understanding HTTP Security Headers_ .png\"}","cover_image_serving_url":"/v2api/collection/6369210000211968/6214384662609920/image/6163948040093696","tags":["web security","http security headers","Security headers","X XSS protection","Chrome's lighthouse"],"intro_video_url":"","intro_video_thumbnail_url":null,"aggregated_widget_stats":{"MarkdownEditor":68,"codeExerciseCount":0,"codeRunnableCount":1,"codeSnippetCount":31,"illustrations":19,"MxGraphWidget":1,"Code":1,"VNC":4,"Quiz":5,"Image":18,"SpoilerEditor":3,"StructuredQuiz":3,"TerminalWidget":1,"projects":0,"assessments":0},"default_themes":{"code_themes":{"SPA":"default","Code":"default","isForced":{"SPA":false,"Code":false,"Markdown":false,"RunJS":false},"Markdown":"default","RunJS":"default"}},"api_keys":{"api_keys":[]},"skills":[],"testimonials":[],"licensing":null,"target_audience":"beginner","author_id":"6369210000211968","collection_id":"6214384662609920","approval_status":3005,"price":29,"is_private":false,"path_type":"regular","organization_id":null,"is_mini":false,"is_priced":true,"brief_summary":" Gain insights into HTTP security headers, learn their risks, explore solutions, and discover how to implement them using Helmet for enhanced web application security.","approval_update_time":"2021-10-04T17:42:20.560Z","udata_files":[],"CodeThemes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"collection_type":"collection","adaptive_learning_mode":false,"HLOs_to_toc":{},"is_guide":false,"read_time":4200,"allow_logged_out_executions":false,"unique_live_widget_urls":false,"metadata_status":101},"pageSummarySSR":{"title":"Educational resources","description":"The following provides a list of resources to extend your knowledge beyond all that we learned in this course.","discourse_page_url":"https://discuss.educative.io/tag/educational-resources__whats-next__web-application-security-understanding-http-security-headers?open=true&ctag=web-application-security-understanding-http-security-headers__liran-tal&cslug=web-application-security-http-headers&pslug=educational-resources"},"adaptiveLearningConfigConstantSSR":0,"enableLessonPageLockedBannerV2":true,"allowAllLessonPreview":false,"lockedBannerStatsSSR":{"b2cTrialStats":{"is_b2c_trial_active":true,"b2c_trial_active_duration":7,"b2c_trial_categories":"$2b"},"b2cStatus":100,"learnerTags":"$2c","workStats":1430,"interviewWorksStats":76,"inL2cStarterPack":false,"l2cWorkStats":38,"enableL2cStarterPackPaymentWidget":"true"},"pageTocSSR":"","authorId":"6369210000211968","collectionId":"6214384662609920","pageId":"4819951587164160","isCollectionPageLockedCachingEnabled":true,"aceFeatureFlags":{"enableAceEditor":true,"enableAceEditorForAnswers":true},"meta":{"type":["Article","TechArticle"],"title":"Educational resources","name":"Web Application Security: Understanding HTTP Security Headers","description":"The following provides a list of resources to extend your knowledge beyond all that we learned in this course.","image":"https://educative.io/api/collection/6369210000211968/6214384662609920/image/6163948040093696.png","isAccessibleForFree":false,"keywords":"$2c","provider":"Educative","publisher":"Educative","id":"courses/web-application-security-http-headers/educational-resources","author":"Liran Tal","educationalLevel":"beginner","noIndex":false,"isForcedNoIndex":false,"noFollow":false,"redirectInfo":{"isDeletedCollectionPageRedirectable":false},"page_titles":"$2d","is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"deleted_course_lesson_redirect":{"author_id":null,"collection_id":null,"page_id":null,"redirect_url_slug":null},"metadata_status":101,"additional_course_alternatives":[]},"requestUrl":"/courses/web-application-security-http-headers/educational-resources","requestUrlInfo":{"authorId":"6369210000211968","collectionId":"6214384662609920","pageId":"4819951587164160","courseUrlSlug":"web-application-security-http-headers","pageUrlSlug":"educational-resources"},"isExternalContent":false}}],[["$","script",null,{"id":"generate-data","type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$2e"}}],false,"$undefined"]]