14:[["$","$L132",null,{"props":{"lessonContent":{"components":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"12da6bef-3d2c-4ab4-9a1f-3a1afb0b9892","text":"$133","mdHtml":"

When a server does not include a Domain directive the cookie is to be considered host-only, meaning that its validity is restricted to the current domain only.

This is a sort of default behavior from browsers when they receive a cookie that does not have a Domain set. You can find a small example I wrote at github.com/odino/wasec/tree/master/cookies. It’s a simple web app that sets cookies based on URL ...

","cursorPosition":{"line":0,"ch":0}},"hash":"1","iteration":24,"saveVersion":1}],"summary":{"description":"In this lesson, we'll study host-only cookies.","titleUpdated":true},"content":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"12da6bef-3d2c-4ab4-9a1f-3a1afb0b9892","text":"$134","mdHtml":"

When a server does not include a Domain directive the cookie is to be considered host-only, meaning that its validity is restricted to the current domain only.

","cursorPosition":{"line":0,"ch":0}},"hash":"1","iteration":24,"saveVersion":1}],"darkModeContent":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"12da6bef-3d2c-4ab4-9a1f-3a1afb0b9892","text":"$135","mdHtml":"

When a server does not include a Domain directive the cookie is to be considered host-only, meaning that its validity is restricted to the current domain only.

","cursorPosition":{"line":0,"ch":0}},"hash":"1","iteration":24,"saveVersion":1}]},"isPreviewLesson":false,"pageType":"collection_lesson","aiCoachVideoUrl":"https://youtu.be/kgl8y9J3O6c","collectionDetailsSSR":{"title":"Web Application Security for the Everyday Software Engineer","summary":"There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.\n\nIn this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. \n\nIn the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.\n\nThis course will demystify web security, and help you stay on top of important security-related concerns in your web apps.","details":"","clos":[],"arabic_available":false,"page_tags":{"5836883515932672":"","5303123166887936":"","6291280486203392":"","6296457733734400":"","6025978913488896":"","5446620641492992":"","6143883248402432":"","5545136755834880":"","5462186039181312":"","6608873487073280":"","5139363647193088":"","5176747042537472":"","6515604514144256":"","6473472998899712":"","6335186628247552":"","5938972908847104":"","6264714335092736":"","6144502159900672":"","4983193536036864":"","4702623723683840":"","6596048379183104":"","4718279953219584":"","5691356803497984":"","5672559073820672":"","4620022811983872":"","4940158097948672":"","5982029519781888":"","4543080653914112":"","5385739899502592":"","5023963043332096":"","4529800178827264":"","4668418604138496":"","4771085502382080":"","6053230615199744":"","6191047056031744":"","6129176592515072":"","4948825543278592":"","5363057757782016":"","5335506213666816":"","5813296562176000":"","5923373688291328":"","5491207368081408":"","5326584224415744":"","5422214020071424":"","5857052682354688":"","6616272071557120":"","6750562528788480":"","6302367440961536":"","5602190329643008":"","6372192066469888":"","5198853675417600":"","5141283162030080":"","6270139180777472":"","4893635347742720":"","6588420517265408":"","6480161571602432":"","4999754929930240":"","6566529740046336":"","5670467793846272":"","4776636378513408":"","5249263270363136":"","6452296931082240":"","6136393496526848":"","6552289406877696":"","5906543254962176":"","6606146484830208":"","4973509626298368":"","6285054763335680":"","5212042983112704":"","4552528038461440":"","6059486704828416":"","4928257414660096":""},"collection_toc_is_enabled":true,"page_count":null,"docker":{"container":{"buildLogUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/log","buildStatusUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/status","tarballDownloadUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/download","id":-1,"imageName":"author-10370001-collection-4994778405011456-rev-31-container-5611703325687808-new","file":{"name":"new.tar.gz","size":2461334},"rebuildImageUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/rebuild","buildStatus":"SUCCESS","metadata":{"sizeInBytes":2461334},"track":false},"envs":[],"jobs":[{"runInLiveContainer":true,"name":"node","startScript":"npm start --prefix /usr/src/app","inputFileName":"foo","key":"813fa08b-f9aa-49b3-8456-798a4efa6e37","runScript":"cp /usercode/* /usr/src/app","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"cookies","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","key":"7bece526-9d47-48d5-b4be-f290146d6024","runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"hsts","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","key":"03e2c0a2-37f2-403c-8d78-1a2e1bea60da","runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"90a93256-44a0-4d84-a9fa-428a4bd90e60","runInLiveContainer":true,"name":"hsts-https","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","https":true,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7889"},{"key":"6dcb5825-5083-437b-aed6-ed2e8bbedbb5","runInLiveContainer":true,"name":"sri","startScript":"cp /usr/src/app/package*.json /usercode/sri && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode/sri && npm start","inputFileName":"foo","https":false,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"0f8d20ee-8c02-4277-81a9-94a9d5560321","runInLiveContainer":true,"name":"cookies-https","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7889"},{"key":"16ef4323-812b-449b-8d33-5c92a35a90fb","runInLiveContainer":true,"name":"clickjacking","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/clickjacking && cp -r /usr/src/app/imgs/* /usercode/clickjacking && cd /usercode/clickjacking && npm start ","inputFileName":"foo","https":false,"runScript":"echo \"Running code...\"","buildScript":"","ports":"7888"},{"key":"30f1abf3-5ca4-43e2-8494-aa9fc994a67d","runInLiveContainer":true,"name":"cors","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cors && cd /usercode && mkcert wasec.local && cd cors && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cors && cp /usercode/cors/index.js /usr/src/cors","buildScript":"","ports":"7888"}],"testRunners":[],"version":3,"loaded":true},"discounted_price":39,"cover_image_id":4572926192910336,"cover_image_metadata":"\"{\\\"width\\\":1024,\\\"height\\\":512,\\\"sizeInBytes\\\":35059,\\\"name\\\":\\\"Cover-3.png\\\"}\"","cover_image_serving_url":"/v2api/collection/10370001/4994778405011456/image/4572926192910336","tags":["Network security","SQL injection","Cross-site scripting","CSRF","cryptography"],"intro_video_url":"","intro_video_thumbnail_url":"","aggregated_widget_stats":{"codeRunnableCount":12,"illustrations":59,"MarkdownEditor":154,"codeExerciseCount":0,"codeSnippetCount":53,"MxGraphWidget":56,"TerminalWidget":1,"Columns":8,"Code":6,"Quiz":7,"RunJS":0,"WebpackBin":6,"projects":0,"assessments":0,"cloudlabs":0,"Sandpack":1},"default_themes":{"code_themes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}}},"api_keys":{"api_keys":[]},"skills":[],"testimonials":[],"licensing":null,"target_audience":"intermediate","author_id":"10370001","collection_id":"4994778405011456","approval_status":3005,"price":59,"is_private":false,"path_type":"regular","organization_id":null,"is_mini":false,"is_priced":true,"brief_summary":"Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.","approval_update_time":"2020-06-29T23:09:47.538Z","rating_visibility":true,"update_last_published_on_homepage":true,"show_developed_by":true,"udata_files":[],"CodeThemes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"collection_type":"collection","adaptive_learning_mode":false,"HLOs_to_toc":{},"is_guide":false,"read_time":14400,"allow_logged_out_executions":false,"unique_live_widget_urls":false,"metadata_status":101,"palified_version":null},"pageSummarySSR":{"title":"Host-only","description":"In this lesson, we'll study host-only cookies.","discourse_page_url":"https://discuss.educative.io/tag/host-only__http-cookies__web-application-security-for-the-everyday-software-engineer?open=true&ctag=web-application-security-for-the-everyday-software-engineer__alex-nadalin&cslug=web-application-security-everyday-software-engineer&pslug=host-only"},"adaptiveLearningConfigConstantSSR":0,"enableLessonPageLockedBannerV2":true,"allowAllLessonPreview":false,"lockedBannerStatsSSR":{"b2cTrialStats":{"is_b2c_trial_active":true,"b2c_trial_active_duration":21,"b2c_trial_categories":"$136"},"b2cStatus":100,"learnerTags":"$137","workStats":1590,"interviewWorksStats":93,"inL2cStarterPack":false,"l2cWorkStats":46,"enableL2cStarterPackPaymentWidget":"false"},"pageTocSSR":"","authorId":"10370001","collectionId":"4994778405011456","pageId":"5422214020071424","isCollectionPageLockedCachingEnabled":true,"aceFeatureFlags":{"enableAceEditor":true,"enableAceEditorForAnswers":true},"meta":{"type":["Article","TechArticle"],"title":"Host-only","name":"Web Application Security for the Everyday Software Engineer","description":"In this lesson, we'll study host-only cookies.","image":"https://educative.io/api/collection/10370001/4994778405011456/image/4572926192910336.png","isAccessibleForFree":false,"keywords":"$137","provider":"Educative","publisher":"Educative","id":"courses/web-application-security-everyday-software-engineer/host-only","author":"Educative","educationalLevel":"intermediate","noIndex":true,"isForcedNoIndex":true,"noFollow":false,"redirectInfo":{"isDeletedCollectionPageRedirectable":false},"page_titles":{"5836883515932672":"Don't Panic: Some Services to The Rescue!","5303123166887936":"Cross Origin Resource Sharing","6291280486203392":"This Is The End","6296457733734400":"Quiz Yourself on HTTP","5446620641492992":"Mechanics: HTTP vs HTTPS vs H2","6143883248402432":"HTTPS Everywhere","5545136755834880":"Introduction HTTP Cookies","5462186039181312":"Dependencies With Known Vulnerabilities","6608873487073280":"Malicious Reporters","5139363647193088":"What's in a Program?","5176747042537472":"A Browser for Developers","6515604514144256":"Who This Course Is For?","5491207368081408":"Paranoid Mode: On","6473472998899712":"Introduction to Bug Bounty Programs","6335186628247552":"Notable DDoS Attacks","5938972908847104":"Denylisting vs. Allowlisting","6264714335092736":"Vendors","6144502159900672":"Formatting","4983193536036864":"Errata and Additional Content","4702623723683840":"OWASP","6596048379183104":"Session Invalidation in a Stateless Architecture","4718279953219584":"Hold The Door","5691356803497984":"How HTTP Works","5672559073820672":"What Does a Browser Do?","4620022811983872":"JavaScript Can't Touch This","4940158097948672":"Content-Security-Policy","6552289406877696":"My CDN Was Compromised!","4543080653914112":"Introduction to Situationals","5385739899502592":"Quiz Yourself on HTTP Cookies","5023963043332096":"In the Works","4529800178827264":"Have I Been Pwned?","4668418604138496":"Supercookies","4771085502382080":"Querying Your Database While Avoiding SQL Injections","6053230615199744":"X-Permitted-Cross-Domain-Policies & Referrer-Policy","6191047056031744":"Introduction to the Course","6129176592515072":"Quiz Yourself on Browsers","4948825543278592":"Why Would Anyone Bomb Me?","5363057757782016":"Encrypt it Or Forget it","5335506213666816":"Session and Persistent Cookies","5813296562176000":"Browser Basics","5923373688291328":"Hackers Welcome","4893635347742720":"X-XSS-Protection","5326584224415744":"Introduction to DDoS","5422214020071424":"Host-only","5857052682354688":"Expect-CT","6616272071557120":"X-Frame-Options","6750562528788480":"Quiz Yourself on Situationals","6302367440961536":"The reporting API","5602190329643008":"GET vs POST","6372192066469888":"Dealing With Researchers","5198853675417600":"HTTP Public Key Pinning","5141283162030080":"Introduction to HTTP","6270139180777472":"Quiz Yourself on DDoS Attacks","6025978913488896":"Logging Secrets","6588420517265408":"Security.txt","6480161571602432":"What's Behind a Cookie?","4999754929930240":"A Few Thank Yous","6566529740046336":"Feature-Policy","5670467793846272":"Quiz Yourself on Bug Bounty Programs","4776636378513408":"Never Trust The Client","5249263270363136":"SameSite: The CSRF Killer","6452296931082240":"HackerOne","6136393496526848":"Conclusion: What Would LeBron Do?","5982029519781888":"Alternatives","5906543254962176":"Low-priority and Delegated Domains","6606146484830208":"Quiz Yourself on HTTP Headers","4973509626298368":"Mechanics: Encryption","6285054763335680":"HTTP Strict Transport Security","5212042983112704":"Anatomy of a DDoS","4552528038461440":"Generating Session IDs","6059486704828416":"X-Content-Type-Options","4928257414660096":"The Slow Death of EV Certificates"},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"deleted_course_lesson_redirect":{"author_id":null,"collection_id":null,"page_id":null,"redirect_url_slug":null},"metadata_status":101,"additional_course_alternatives":[]},"requestUrl":"/courses/web-application-security-everyday-software-engineer/host-only","requestUrlInfo":{"authorId":10370001,"collectionId":4994778405011456,"pageId":5422214020071424,"courseUrlSlug":"web-application-security-everyday-software-engineer","pageUrlSlug":"host-only"},"isExternalContent":false}}],[["$","script",null,{"id":"generate-data","type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$138"}}],false,"$undefined"]]

Deploy an API to Production Using Nginx

Host-only