    Gain insights into HTTP security headers, learn their risks, explore solutions, and discover how to implement them using Helmet for enhanced web application security.

HSTS_brew_final.tar.gz

Chrome

run_mal

Chrome_hsts

Chrome_hsts-mkcert

debug

Chrome_hsts-mal

Chrome_hsts-inn

This course teaches you hands-on practical use of HTTP security headers as browser security controls to help secure web applications.

For each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well maintained Node.js package on npm.

Web Application Security: Understanding HTTP Security Headers

The [X-Frame-Options](http://tools.ietf.org/html/7034) HTTP header was introduced to mitigate an attack called Clickjacking. Clickjacking allows an attacker to disguise page elements such as buttons and text inputs by hiding their view behind real web pages which render on the screen using an iframe HTML element or similar objects.

> **Deprecation Notice:**
> The X-Frame-Options header was never standardized as part of an official specification but many popular browsers today still support it.
> Its successor is the Content-Security-Policy (CSP) header which will be covered in the next section. Generally, you should focus on implementing CSP for newly built web applications.

# The risk

[Clickjacking](https://owasp.org/www-community/attacks/Clickjacking) attacks, also known as UI redressing, involve misleading the user to perform a seemingly harmless operation. In reality, the user is clicking buttons that secretly belong to other elements or typing text into an input field that is under the attacker's control.

Common examples of employing a Clickjacking attack:

1. If a bank or email account website doesn't employ an `X-Frame-Options` HTTP header, then a malicious attacker can render them in an iframe and place the attacker's own input fields on the exact location of the bank or email website's input field. When you enter your username and password in this field, the attacker records your credentials information.
2. An insecure web application for video or voice chat can be exploited by Clickjacking to let the user mistakenly assume they are just clicking around on the screen or playing a game, while in reality, the series of clicks is actually turning on your webcam.

In this lesson, we'll learn about Clickjacking attacks and the dangers of 3rd-party websites using your iFrames on your website to steal information. Then, we'll learn how X-Frame Options can mitigate these attacks. 

Introduction

HTTP Security Headers

Testing for Security Headers

What's Next?

X Frame Options

The risk