HSTS_brew_final.tar.gz

Chrome

run_mal

Chrome_hsts

Chrome_hsts-mkcert

debug

Chrome_hsts-mal

Chrome_hsts-inn

This course teaches you hands-on practical use of HTTP security headers as browser security controls to help secure web applications.

For each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well maintained Node.js package on npm.

Web Application Security: Understanding HTTP Security Headers

The HTTP header **X-XSS-Protection** is used by IE8 and IE9 and allows the Cross-Site-Scripting (XSS) filter capability that is built into the browser to be toggled on or off.

Turning XSS filtering on for any IE8 and IE9 browsers rendering your web application requires the following HTTP header to be sent:

```
X-XSS-Protection: 1; mode=block
```

With Helmet, this protection can be turned on using the following snippet:

```js
const helmet = require("helmet");

app.use(helmet.xssFilter());
```

The following is a quick lesson to recap browser-specific Cross-site Scripting protection. While not in active use anymore, this security header is simply a server response and it is still effective to employ.

Introduction

HTTP Security Headers

Testing for Security Headers

What's Next?

X XSS Protection