10:[["$","$L123",null,{"props":{"lessonContent":{"components":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"d7c24b21-5948-4d8f-b579-e79b660d247a","text":"## Introduction\nCookies contain very sensitive information. If attackers can get a hold of a session ID, they can impersonate users by [hijacking their sessions](https://en.wikipedia.org/wiki/Session_hijacking).\n\nMost *session hijacking* attacks usually happen through a *man-in-the-middle* who can listen to the unencrypted traffic between the client and server and steal any information that's been exchanged. If a cookie is exchanged via HTTP, then it's vulnerable to MITM attacks and session hijacking.\n\nTo overcome the issue, we can use HTTPS when issuing the cookie and add the `Secure` flag to it. This instructs browsers to never send this cookie in plain HTTP requests.\n\n## Example\n\nGoing back to our practical example at https://github.com/odino/wasec/tree/master/cookies, we can test this out by navigating to [https://wasec.local:7889/?secure=on](https://wasec.local:7889/?secure=on). The server sets two additional cookies, one with the `Secure` flag and one without","mdHtml":"

Introduction

Cookies contain very sensitive information. If attackers can get a hold of a session ID, they can impersonate users by hijacking their sessions.

Most session hijacking attacks usually happen through a man-in-the-middle who can listen to the unencrypted traffic between the client and server ...

","cursorPosition":{"line":0,"ch":0}},"hash":"1","saveVersion":2,"iteration":23}],"summary":{"description":"In this lesson, we'll look at the secure directive."},"content":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"d7c24b21-5948-4d8f-b579-e79b660d247a","text":"# Introduction\nCookies contain very sensitive information. If attackers can get a hold of a session ID, they can impersonate users by [hijacking their sessions](https://en.wikipedia.org/wiki/Session_hijacking).\n\nMost *session hijacking* attacks usually happen through a *man-in-the-middle* who can listen to the unencrypted traffic between the client and server and steal any information that's been exchanged. If a cookie is exchanged via HTTP, then it's vulnerable to MITM attacks and session hijacking.\n\nTo overcome the issue, we can use HTTPS when issuing the cookie and add the `Secure` flag to it. This instructs browsers to never send this cookie in plain HTTP requests.\n\n# Example\n\nGoing back to our practical example at https://github.com/odino/wasec/tree/master/cookies, we can test this out by navigating to [https://wasec.local:7889/?secure=on](https://wasec.local:7889/?secure=on). The server sets two additional cookies, one with the `Secure` flag and one without","mdHtml":"

Introduction

Cookies contain very sensitive information. If attackers can get a hold of a session ID, they can impersonate users by hijacking their sessions.

Most session hijacking attacks usually happen through a man-in-the-middle who can listen to the unencrypted traffic between the client and server ...

","cursorPosition":{"line":0,"ch":0}},"hash":"1","saveVersion":2,"iteration":23}],"darkModeContent":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"d7c24b21-5948-4d8f-b579-e79b660d247a","text":"# Introduction\nCookies contain very sensitive information. If attackers can get a hold of a session ID, they can impersonate users by [hijacking their sessions](https://en.wikipedia.org/wiki/Session_hijacking).\n\nMost *session hijacking* attacks usually happen through a *man-in-the-middle* who can listen to the unencrypted traffic between the client and server and steal any information that's been exchanged. If a cookie is exchanged via HTTP, then it's vulnerable to MITM attacks and session hijacking.\n\nTo overcome the issue, we can use HTTPS when issuing the cookie and add the `Secure` flag to it. This instructs browsers to never send this cookie in plain HTTP requests.\n\n# Example\n\nGoing back to our practical example at https://github.com/odino/wasec/tree/master/cookies, we can test this out by navigating to [https://wasec.local:7889/?secure=on](https://wasec.local:7889/?secure=on). The server sets two additional cookies, one with the `Secure` flag and one without","mdHtml":"

Introduction

Cookies contain very sensitive information. If attackers can get a hold of a session ID, they can impersonate users by hijacking their sessions.

Most session hijacking attacks usually happen through a man-in-the-middle who can listen to the unencrypted traffic between the client and server ...

","cursorPosition":{"line":0,"ch":0}},"hash":"1","saveVersion":2,"iteration":23}]},"isPreviewLesson":false,"pageType":"collection_lesson","aiCoachVideoUrl":"https://youtu.be/kgl8y9J3O6c","collectionDetailsSSR":{"title":"Web Application Security for the Everyday Software Engineer","summary":"There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.\n\nIn this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. \n\nIn the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.\n\nThis course will demystify web security, and help you stay on top of important security-related concerns in your web apps.","details":"","clos":[],"arabic_available":false,"toc":{"categories":[{"id":"y51p9fpd1","title":"Introduction","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"Introduction to the Course","is_preview":true,"parentIndex":null,"id":6191047056031744,"type":"collection_lesson","slug":"introduction-to-the-course"},{"is_recovered":false,"editMode":false,"is_preview":true,"title":"Who This Course Is For?","parentIndex":null,"id":6515604514144256,"type":"collection_lesson","slug":"who-this-course-is-for"},{"is_recovered":false,"editMode":false,"title":"Formatting","is_preview":false,"parentIndex":null,"id":6144502159900672,"type":"collection_lesson","slug":"formatting"},{"is_recovered":false,"editMode":false,"title":"Errata and Additional Content","is_preview":false,"parentIndex":null,"id":4983193536036864,"type":"collection_lesson","slug":"errata-and-additional-content"}],"summary":"Get familiar with essential web app security practices, audience focus, formatting, and future content."},{"id":"ycmxvppr3","title":"Understanding The Browser","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"Browser Basics","is_preview":false,"parentIndex":null,"id":5813296562176000,"type":"collection_lesson","slug":"browser-basics"},{"is_recovered":false,"editMode":false,"title":"What Does a Browser Do?","is_preview":false,"parentIndex":null,"id":5672559073820672,"type":"collection_lesson","slug":"what-does-a-browser-do"},{"is_recovered":false,"editMode":false,"title":"Vendors","is_preview":false,"parentIndex":null,"id":6264714335092736,"type":"collection_lesson","slug":"vendors"},{"is_recovered":false,"editMode":false,"title":"A Browser for Developers","is_preview":true,"parentIndex":null,"id":5176747042537472,"type":"collection_lesson","slug":"a-browser-for-developers"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Quiz Yourself on Browsers","parentIndex":null,"id":6129176592515072,"type":"collection_lesson","slug":"quiz-yourself-on-browsers"}],"summary":"Look at browser mechanics to understand functionality, security, and development tools."},{"id":"6qdlqoeev","title":"HTTP","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Introduction to HTTP","parentIndex":null,"id":5141283162030080,"type":"collection_lesson","slug":"introduction-to-http"},{"is_recovered":false,"editMode":false,"title":"How HTTP Works","is_preview":false,"parentIndex":null,"id":5691356803497984,"type":"collection_lesson","slug":"how-http-works"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Mechanics: HTTP vs HTTPS vs H2","parentIndex":null,"id":5446620641492992,"type":"collection_lesson","slug":"mechanics-http-vs-https-vs-h2"},{"is_recovered":false,"editMode":false,"title":"Mechanics: Encryption","is_preview":false,"parentIndex":null,"id":4973509626298368,"type":"collection_lesson","slug":"mechanics-encryption"},{"is_recovered":false,"editMode":false,"title":"HTTPS Everywhere","is_preview":false,"parentIndex":null,"id":6143883248402432,"type":"collection_lesson","slug":"https-everywhere"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"GET vs POST","parentIndex":null,"id":5602190329643008,"type":"collection_lesson","slug":"get-vs-post"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Quiz Yourself on HTTP","parentIndex":null,"id":6296457733734400,"type":"collection_lesson","slug":"quiz-yourself-on-http"}],"summary":"Break apart HTTP's mechanisms, security enhancements, and essential distinctions for secure communication."},{"id":"k3fao0k9z","title":"Protection through HTTP Headers","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"HTTP Strict Transport Security","is_preview":false,"parentIndex":null,"id":6285054763335680,"type":"collection_lesson","slug":"http-strict-transport-security"},{"is_recovered":false,"editMode":false,"title":"HTTP Public Key Pinning","is_preview":false,"parentIndex":null,"id":5198853675417600,"type":"collection_lesson","slug":"http-public-key-pinning"},{"is_recovered":false,"editMode":false,"title":"Expect-CT","is_preview":false,"parentIndex":null,"id":5857052682354688,"type":"collection_lesson","slug":"expect-ct"},{"is_recovered":false,"editMode":false,"title":"X-Frame-Options","is_preview":true,"parentIndex":null,"id":6616272071557120,"type":"collection_lesson","slug":"x-frame-options"},{"is_recovered":false,"editMode":false,"title":"Content-Security-Policy","is_preview":false,"parentIndex":null,"id":4940158097948672,"type":"collection_lesson","slug":"content-security-policy"},{"is_recovered":false,"editMode":false,"title":"X-XSS-Protection","is_preview":false,"parentIndex":null,"id":4893635347742720,"type":"collection_lesson","slug":"x-xss-protection"},{"is_recovered":false,"editMode":false,"title":"Feature-Policy","is_preview":false,"parentIndex":null,"id":6566529740046336,"type":"collection_lesson","slug":"feature-policy"},{"is_recovered":false,"editMode":false,"title":"X-Content-Type-Options","is_preview":false,"parentIndex":null,"id":6059486704828416,"type":"collection_lesson","slug":"x-content-type-options"},{"is_recovered":false,"editMode":false,"title":"Cross Origin Resource Sharing","is_preview":false,"parentIndex":null,"id":5303123166887936,"type":"collection_lesson","slug":"cross-origin-resource-sharing"},{"is_recovered":false,"editMode":false,"title":"X-Permitted-Cross-Domain-Policies & Referrer-Policy","is_preview":false,"parentIndex":null,"id":6053230615199744,"type":"collection_lesson","slug":"x-permitted-cross-domain-policies-referrer-policy"},{"is_recovered":false,"editMode":false,"title":"The reporting API","is_preview":false,"parentIndex":null,"id":6302367440961536,"type":"collection_lesson","slug":"the-reporting-api"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Quiz Yourself on HTTP Headers","parentIndex":null,"id":6606146484830208,"type":"collection_lesson","slug":"quiz-yourself-on-http-headers"}],"summary":"Find out about enhancing web security through various HTTP headers and their practical applications."},{"id":"fwsxkkuk5","title":"HTTP Cookies","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"Introduction HTTP Cookies","is_preview":false,"parentIndex":null,"id":5545136755834880,"type":"collection_lesson","slug":"introduction-http-cookies"},{"is_recovered":false,"editMode":false,"title":"What's Behind a Cookie?","is_preview":false,"parentIndex":null,"id":6480161571602432,"type":"collection_lesson","slug":"whats-behind-a-cookie"},{"is_recovered":false,"editMode":false,"title":"Session and Persistent Cookies","is_preview":false,"parentIndex":null,"id":5335506213666816,"type":"collection_lesson","slug":"session-and-persistent-cookies"},{"is_recovered":false,"editMode":false,"title":"Host-only","is_preview":false,"parentIndex":null,"id":5422214020071424,"type":"collection_lesson","slug":"host-only"},{"is_recovered":false,"editMode":false,"title":"Supercookies","is_preview":false,"parentIndex":null,"id":4668418604138496,"type":"collection_lesson","slug":"supercookies"},{"is_recovered":false,"editMode":false,"title":"Encrypt it Or Forget it","is_preview":false,"parentIndex":null,"id":5363057757782016,"type":"collection_lesson","slug":"encrypt-it-or-forget-it"},{"is_recovered":false,"editMode":false,"title":"JavaScript Can't Touch This","is_preview":false,"parentIndex":null,"id":4620022811983872,"type":"collection_lesson","slug":"javascript-cant-touch-this"},{"is_recovered":false,"editMode":false,"title":"SameSite: The CSRF Killer","is_preview":false,"parentIndex":null,"id":5249263270363136,"type":"collection_lesson","slug":"samesite-the-csrf-killer"},{"is_recovered":false,"editMode":false,"title":"Alternatives","is_preview":false,"parentIndex":null,"id":5982029519781888,"type":"collection_lesson","slug":"alternatives"},{"is_recovered":false,"editMode":false,"title":"Conclusion: What Would LeBron Do?","is_preview":false,"parentIndex":null,"id":6136393496526848,"type":"collection_lesson","slug":"conclusion-what-would-lebron-do"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Quiz Yourself on HTTP Cookies","parentIndex":null,"id":5385739899502592,"type":"collection_lesson","slug":"quiz-yourself-on-http-cookies"}],"summary":"Map out the steps for understanding, implementing, and securing HTTP cookies in web development."},{"id":"1eimzmxbe","title":"Situationals","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"title":"Introduction to Situationals","is_preview":false,"parentIndex":null,"id":4543080653914112,"type":"collection_lesson","slug":"introduction-to-situationals"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Denylisting vs. Allowlisting","parentIndex":null,"id":5938972908847104,"type":"collection_lesson","slug":"denylisting-vs-allowlisting"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Logging Secrets","parentIndex":null,"id":6025978913488896,"type":"collection_lesson","slug":"logging-secrets"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Never Trust The Client","parentIndex":null,"id":4776636378513408,"type":"collection_lesson","slug":"never-trust-the-client"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Generating Session IDs","parentIndex":null,"id":4552528038461440,"type":"collection_lesson","slug":"generating-session-ids"},{"is_recovered":false,"editMode":false,"is_preview":true,"title":"Querying Your Database While Avoiding SQL Injections","parentIndex":null,"id":4771085502382080,"type":"collection_lesson","slug":"querying-your-database-while-avoiding-sql-injections"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Dependencies With Known Vulnerabilities","parentIndex":null,"id":5462186039181312,"type":"collection_lesson","slug":"dependencies-with-known-vulnerabilities"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Have I Been Pwned?","parentIndex":null,"id":4529800178827264,"type":"collection_lesson","slug":"have-i-been-pwned"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Session Invalidation in a Stateless Architecture","parentIndex":null,"id":6596048379183104,"type":"collection_lesson","slug":"session-invalidation-in-a-stateless-architecture"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"My CDN Was Compromised!","parentIndex":null,"id":6552289406877696,"type":"collection_lesson","slug":"my-cdn-was-compromised"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"The Slow Death of EV Certificates","parentIndex":null,"id":4928257414660096,"type":"collection_lesson","slug":"the-slow-death-of-ev-certificates"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Paranoid Mode: On","parentIndex":null,"id":5491207368081408,"type":"collection_lesson","slug":"paranoid-mode-on"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Low-priority and Delegated Domains","parentIndex":null,"id":5906543254962176,"type":"collection_lesson","slug":"low-priority-and-delegated-domains"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"OWASP","parentIndex":null,"id":4702623723683840,"type":"collection_lesson","slug":"owasp"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Hold The Door","parentIndex":null,"id":4718279953219584,"type":"collection_lesson","slug":"hold-the-door"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Quiz Yourself on Situationals","parentIndex":null,"id":6750562528788480,"type":"collection_lesson","slug":"quiz-yourself-on-situationals"}],"summary":"Focus on making security-focused decisions in software engineering to enhance web app protection."},{"id":"vlmi57a4w","title":"DDoS Attacks","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"is_preview":true,"title":"Introduction to DDoS","parentIndex":null,"id":5326584224415744,"type":"collection_lesson","slug":"introduction-to-ddos"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Anatomy of a DDoS","parentIndex":null,"id":5212042983112704,"type":"collection_lesson","slug":"anatomy-of-a-ddos"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Why Would Anyone Bomb Me?","parentIndex":null,"id":4948825543278592,"type":"collection_lesson","slug":"why-would-anyone-bomb-me"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Notable DDoS Attacks","parentIndex":null,"id":6335186628247552,"type":"collection_lesson","slug":"notable-ddos-attacks"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Don't Panic: Some Services to The Rescue!","parentIndex":null,"id":5836883515932672,"type":"collection_lesson","slug":"dont-panic-some-services-to-the-rescue"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Hackers Welcome","parentIndex":null,"id":5923373688291328,"type":"collection_lesson","slug":"hackers-welcome"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Quiz Yourself on DDoS Attacks","parentIndex":null,"id":6270139180777472,"type":"collection_lesson","slug":"quiz-yourself-on-ddos-attacks"}],"summary":"Build on understanding DDoS attacks, their mechanics, real-world examples, and mitigation strategies."},{"id":"pi9f72mgs","title":"Bug Bounty Programs","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"is_preview":true,"title":"Introduction to Bug Bounty Programs","parentIndex":null,"id":6473472998899712,"type":"collection_lesson","slug":"introduction-to-bug-bounty-programs"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"What's in a Program?","parentIndex":null,"id":5139363647193088,"type":"collection_lesson","slug":"whats-in-a-program"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Security.txt","parentIndex":null,"id":6588420517265408,"type":"collection_lesson","slug":"security-txt"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"HackerOne","parentIndex":null,"id":6452296931082240,"type":"collection_lesson","slug":"hackerone"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Dealing With Researchers","parentIndex":null,"id":6372192066469888,"type":"collection_lesson","slug":"dealing-with-researchers"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Malicious Reporters","parentIndex":null,"id":6608873487073280,"type":"collection_lesson","slug":"malicious-reporters"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"Quiz Yourself on Bug Bounty Programs","parentIndex":null,"id":5670467793846272,"type":"collection_lesson","slug":"quiz-yourself-on-bug-bounty-programs"}],"summary":"Learn how to use bug bounty programs to enhance software security through ethical collaboration."},{"id":"wt2aunqcd","title":"Conclusion","type":"COLLECTION_CATEGORY","editMode":false,"pages":[{"is_recovered":false,"editMode":false,"is_preview":false,"title":"This Is The End","parentIndex":null,"id":6291280486203392,"type":"collection_lesson","slug":"this-is-the-end"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"In the Works","parentIndex":null,"id":5023963043332096,"type":"collection_lesson","slug":"in-the-works"},{"is_recovered":false,"editMode":false,"is_preview":false,"title":"A Few Thank Yous","parentIndex":null,"id":4999754929930240,"type":"collection_lesson","slug":"a-few-thank-yous"}],"summary":"Get started with viewing security as an ongoing journey, future-proofing updates, and community appreciation."},{"page_id":5273365563703296,"id":5273165836976128,"title":"Deploy an API to Production Using Nginx","pages":[],"editMode":false,"type":"PATH_EXTERNAL_PROJECT","author_id":6586453712175104,"collection_id":5749692200779776,"is_required":false,"detail_id":"project_6586453712175104_5749692200779776_5273365563703296","cover_image_serving_url":null,"collection_read_time":0,"page_count":0,"brief_summary":null,"course_url_slug":null,"assessments_keys":[],"projects_keys":[],"optional_lessons":[],"time_limit":null}]},"page_titles":{"5836883515932672":"Don't Panic: Some Services to The Rescue!","5303123166887936":"Cross Origin Resource Sharing","6291280486203392":"This Is The End","6296457733734400":"Quiz Yourself on HTTP","5446620641492992":"Mechanics: HTTP vs HTTPS vs H2","6143883248402432":"HTTPS Everywhere","5545136755834880":"Introduction HTTP Cookies","5462186039181312":"Dependencies With Known Vulnerabilities","6608873487073280":"Malicious Reporters","5139363647193088":"What's in a Program?","5176747042537472":"A Browser for Developers","6515604514144256":"Who This Course Is For?","5491207368081408":"Paranoid Mode: On","6473472998899712":"Introduction to Bug Bounty Programs","6335186628247552":"Notable DDoS Attacks","5938972908847104":"Denylisting vs. Allowlisting","6264714335092736":"Vendors","6144502159900672":"Formatting","4983193536036864":"Errata and Additional Content","4702623723683840":"OWASP","6596048379183104":"Session Invalidation in a Stateless Architecture","4718279953219584":"Hold The Door","5691356803497984":"How HTTP Works","5672559073820672":"What Does a Browser Do?","4620022811983872":"JavaScript Can't Touch This","4940158097948672":"Content-Security-Policy","6552289406877696":"My CDN Was Compromised!","4543080653914112":"Introduction to Situationals","5385739899502592":"Quiz Yourself on HTTP Cookies","5023963043332096":"In the Works","4529800178827264":"Have I Been Pwned?","4668418604138496":"Supercookies","4771085502382080":"Querying Your Database While Avoiding SQL Injections","6053230615199744":"X-Permitted-Cross-Domain-Policies & Referrer-Policy","6191047056031744":"Introduction to the Course","6129176592515072":"Quiz Yourself on Browsers","4948825543278592":"Why Would Anyone Bomb Me?","5363057757782016":"Encrypt it Or Forget it","5335506213666816":"Session and Persistent Cookies","5813296562176000":"Browser Basics","5923373688291328":"Hackers Welcome","4893635347742720":"X-XSS-Protection","5326584224415744":"Introduction to DDoS","5422214020071424":"Host-only","5857052682354688":"Expect-CT","6616272071557120":"X-Frame-Options","6750562528788480":"Quiz Yourself on Situationals","6302367440961536":"The reporting API","5602190329643008":"GET vs POST","6372192066469888":"Dealing With Researchers","5198853675417600":"HTTP Public Key Pinning","5141283162030080":"Introduction to HTTP","6270139180777472":"Quiz Yourself on DDoS Attacks","6025978913488896":"Logging Secrets","6588420517265408":"Security.txt","6480161571602432":"What's Behind a Cookie?","4999754929930240":"A Few Thank Yous","6566529740046336":"Feature-Policy","5670467793846272":"Quiz Yourself on Bug Bounty Programs","4776636378513408":"Never Trust The Client","5249263270363136":"SameSite: The CSRF Killer","6452296931082240":"HackerOne","6136393496526848":"Conclusion: What Would LeBron Do?","5982029519781888":"Alternatives","5906543254962176":"Low-priority and Delegated Domains","6606146484830208":"Quiz Yourself on HTTP Headers","4973509626298368":"Mechanics: Encryption","6285054763335680":"HTTP Strict Transport Security","5212042983112704":"Anatomy of a DDoS","4552528038461440":"Generating Session IDs","6059486704828416":"X-Content-Type-Options","4928257414660096":"The Slow Death of EV Certificates"},"page_tags":{"5836883515932672":"","5303123166887936":"","6291280486203392":"","6296457733734400":"","6025978913488896":"","5446620641492992":"","6143883248402432":"","5545136755834880":"","5462186039181312":"","6608873487073280":"","5139363647193088":"","5176747042537472":"","6515604514144256":"","6473472998899712":"","6335186628247552":"","5938972908847104":"","6264714335092736":"","6144502159900672":"","4983193536036864":"","4702623723683840":"","6596048379183104":"","4718279953219584":"","5691356803497984":"","5672559073820672":"","4620022811983872":"","4940158097948672":"","5982029519781888":"","4543080653914112":"","5385739899502592":"","5023963043332096":"","4529800178827264":"","4668418604138496":"","4771085502382080":"","6053230615199744":"","6191047056031744":"","6129176592515072":"","4948825543278592":"","5363057757782016":"","5335506213666816":"","5813296562176000":"","5923373688291328":"","5491207368081408":"","5326584224415744":"","5422214020071424":"","5857052682354688":"","6616272071557120":"","6750562528788480":"","6302367440961536":"","5602190329643008":"","6372192066469888":"","5198853675417600":"","5141283162030080":"","6270139180777472":"","4893635347742720":"","6588420517265408":"","6480161571602432":"","4999754929930240":"","6566529740046336":"","5670467793846272":"","4776636378513408":"","5249263270363136":"","6452296931082240":"","6136393496526848":"","6552289406877696":"","5906543254962176":"","6606146484830208":"","4973509626298368":"","6285054763335680":"","5212042983112704":"","4552528038461440":"","6059486704828416":"","4928257414660096":""},"collection_toc_is_enabled":true,"page_count":null,"docker":{"container":{"buildLogUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/log","buildStatusUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/status","tarballDownloadUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/download","id":-1,"imageName":"author-10370001-collection-4994778405011456-rev-31-container-5611703325687808-new","file":{"name":"new.tar.gz","size":2461334},"rebuildImageUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/rebuild","buildStatus":"SUCCESS","metadata":{"sizeInBytes":2461334},"track":false},"envs":[],"jobs":[{"runInLiveContainer":true,"name":"node","startScript":"npm start --prefix /usr/src/app","inputFileName":"foo","key":"813fa08b-f9aa-49b3-8456-798a4efa6e37","runScript":"cp /usercode/* /usr/src/app","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"cookies","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","key":"7bece526-9d47-48d5-b4be-f290146d6024","runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"hsts","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","key":"03e2c0a2-37f2-403c-8d78-1a2e1bea60da","runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"90a93256-44a0-4d84-a9fa-428a4bd90e60","runInLiveContainer":true,"name":"hsts-https","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","https":true,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7889"},{"key":"6dcb5825-5083-437b-aed6-ed2e8bbedbb5","runInLiveContainer":true,"name":"sri","startScript":"cp /usr/src/app/package*.json /usercode/sri && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode/sri && npm start","inputFileName":"foo","https":false,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"0f8d20ee-8c02-4277-81a9-94a9d5560321","runInLiveContainer":true,"name":"cookies-https","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7889"},{"key":"16ef4323-812b-449b-8d33-5c92a35a90fb","runInLiveContainer":true,"name":"clickjacking","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/clickjacking && cp -r /usr/src/app/imgs/* /usercode/clickjacking && cd /usercode/clickjacking && npm start ","inputFileName":"foo","https":false,"runScript":"echo \"Running code...\"","buildScript":"","ports":"7888"},{"key":"30f1abf3-5ca4-43e2-8494-aa9fc994a67d","runInLiveContainer":true,"name":"cors","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cors && cd /usercode && mkcert wasec.local && cd cors && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cors && cp /usercode/cors/index.js /usr/src/cors","buildScript":"","ports":"7888"}],"testRunners":[],"version":3,"loaded":true},"discounted_price":39,"cover_image_id":4572926192910336,"cover_image_metadata":"\"{\\\"width\\\":1024,\\\"height\\\":512,\\\"sizeInBytes\\\":35059,\\\"name\\\":\\\"Cover-3.png\\\"}\"","cover_image_serving_url":"/v2api/collection/10370001/4994778405011456/image/4572926192910336","tags":["Network security","SQL injection","Cross-site scripting","CSRF","cryptography"],"intro_video_url":"","intro_video_thumbnail_url":"","aggregated_widget_stats":{"codeRunnableCount":12,"illustrations":59,"MarkdownEditor":154,"codeExerciseCount":0,"codeSnippetCount":53,"MxGraphWidget":56,"TerminalWidget":1,"Columns":8,"Code":6,"Quiz":7,"RunJS":1,"WebpackBin":6,"projects":0,"assessments":0,"cloudlabs":0},"default_themes":{"code_themes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}}},"api_keys":{"api_keys":[]},"skills":[],"testimonials":[],"licensing":null,"target_audience":"intermediate","author_id":"10370001","collection_id":"4994778405011456","approval_status":3005,"price":59,"is_private":false,"path_type":"regular","organization_id":null,"is_mini":false,"is_priced":true,"brief_summary":"Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.","approval_update_time":"2020-06-29T23:09:47.538Z","rating_visibility":true,"update_last_published_on_homepage":true,"show_developed_by":true,"udata_files":[],"CodeThemes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"collection_type":"collection","adaptive_learning_mode":false,"HLOs_to_toc":{},"is_guide":false,"read_time":14400,"allow_logged_out_executions":false,"unique_live_widget_urls":false,"metadata_status":101},"pageSummarySSR":{"title":"Encrypt it Or Forget it","description":"In this lesson, we'll look at the secure directive.","discourse_page_url":"https://discuss.educative.io/tag/encrypt-it-or-forget-it__http-cookies__web-application-security-for-the-everyday-software-engineer?open=true&ctag=web-application-security-for-the-everyday-software-engineer__alex-nadalin&cslug=web-application-security-everyday-software-engineer&pslug=encrypt-it-or-forget-it"},"adaptiveLearningConfigConstantSSR":0,"enableLessonPageLockedBannerV2":true,"allowAllLessonPreview":false,"lockedBannerStatsSSR":{"b2cTrialStats":{"is_b2c_trial_active":true,"b2c_trial_active_duration":7,"b2c_trial_categories":"$124"},"b2cStatus":100,"learnerTags":"$125","workStats":1440,"interviewWorksStats":78,"inL2cStarterPack":false,"l2cWorkStats":43,"enableL2cStarterPackPaymentWidget":"true"},"pageTocSSR":"*\n * [Introduction](#introduction)\n * [Example](#example)\n","authorId":"10370001","collectionId":"4994778405011456","pageId":"5363057757782016","isCollectionPageLockedCachingEnabled":true,"aceFeatureFlags":{"enableAceEditor":true,"enableAceEditorForAnswers":true},"meta":{"type":["Article","TechArticle"],"title":"Encrypt it Or Forget it","name":"Web Application Security for the Everyday Software Engineer","description":"In this lesson, we'll look at the secure directive.","image":"https://educative.io/api/collection/10370001/4994778405011456/image/4572926192910336.png","isAccessibleForFree":false,"keywords":"$125","provider":"Educative","publisher":"Educative","id":"courses/web-application-security-everyday-software-engineer/encrypt-it-or-forget-it","author":"Educative","educationalLevel":"intermediate","noIndex":true,"isForcedNoIndex":true,"noFollow":false,"redirectInfo":{"isDeletedCollectionPageRedirectable":false},"page_titles":"$126","is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"deleted_course_lesson_redirect":{"author_id":null,"collection_id":null,"page_id":null,"redirect_url_slug":null},"metadata_status":101,"additional_course_alternatives":[]},"requestUrl":"/courses/web-application-security-everyday-software-engineer/encrypt-it-or-forget-it","requestUrlInfo":{"authorId":"10370001","collectionId":"4994778405011456","pageId":"5363057757782016","courseUrlSlug":"web-application-security-everyday-software-engineer","pageUrlSlug":"encrypt-it-or-forget-it"},"isExternalContent":false}}],[["$","script",null,{"id":"generate-data","type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$127"}}],false,"$undefined"]]