    Gain insights into HTTP security headers, learn their risks, explore solutions, and discover how to implement them using Helmet for enhanced web application security.

HSTS_brew_final.tar.gz

Chrome

run_mal

Chrome_hsts

Chrome_hsts-mkcert

debug

Chrome_hsts-mal

Chrome_hsts-inn

This course teaches you hands-on practical use of HTTP security headers as browser security controls to help secure web applications.

For each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well maintained Node.js package on npm.

Web Application Security: Understanding HTTP Security Headers

When browsers fetch remote sources of content such as JavaScript or images, they are instructed using the `Content-Type` header on the type of content.

For example, when a PDF content type is fetched by the browser, the server hints the browser by setting the following header: `Content-Type: application/pdf`.

These content types are standardized by the IANA organization as MIME types. A [full list of common MIME types can be seen here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types).

# Risk

What happens when the browser is given an incorrect MIME type for a content or not given one at all? In such a case, the browser will attempt to guess the content type by reading and interpreting the content data. This action is referred to as **MIME Sniffing**.

> More information on MIME Sniffing can be found in the official [MIME Sniffing standard](https://mimesniff.spec.whatwg.org/).

The purpose of this header is to instruct the browser to avoid guessing the web server's content type, which may lead to an incorrect render.

The **X-Content-Type-Options** HTTP header is used by IE, Chrome, and Opera to mitigate a MIME based attack.

An example of setting this header:

```
X-Content-Type-Options: nosniff
```

Helmet's implementation:

```js
const helmet = require("helmet");

app.use(helmet.noSniff());
```


The following is a quick lesson to recap browser-specific content sniffing vulnerabilities and how they can be mitigated using security headers.

Introduction

HTTP Security Headers

Testing for Security Headers

What's Next?

X Content Type Options