    Gain insights into HTTP security headers, learn their risks, explore solutions, and discover how to implement them using Helmet for enhanced web application security.

HSTS_brew_final.tar.gz

Chrome

run_mal

Chrome_hsts

Chrome_hsts-mkcert

debug

Chrome_hsts-mal

Chrome_hsts-inn

This course teaches you hands-on practical use of HTTP security headers as browser security controls to help secure web applications.

For each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well maintained Node.js package on npm.

Web Application Security: Understanding HTTP Security Headers

We learned how to increase security using web controls such as HTTP headers, but how do we ensure that we're always up to date with security controls? How do we ensure there isn't a regression next week where headers are removed from an HTTP response? This problem can get even more complicated if you're working in a rich microservices environment, and need to account for more than a few services.

# Monitoring and Shifting-left

We would ideally want to #concept=shift_left#shift_left#concept# as much of the monitoring activities as possible so we can ensure that problems are detected earlier in the process rather than after the fact.

We reviewed some tools in which we can easily create a CI integration during the build process. For example, we can leverage a full WebPageTest integration for both its performance and security insights by triggering an API call upon a successful website deployment to run an end-to-end build.

Furthermore, we can use command-line tools such as Check My Headers and others to validate that server responses are indeed conforming to a policy. This helps us shift left in application security testing and find issues earlier in the software development lifecycle.


We learned how to increase security using web controls such as HTTP headers, but to further ensure that they are kept in check we need to monitor them.

Introduction

HTTP Security Headers

Testing for Security Headers

What's Next?

Monitor your web application