12:[["$","$La4",null,{"props":{"lessonContent":{"components":[{"type":"MarkdownEditor","content":{"version":"2.0","text":"We looked at several tools to help us find security issues in web applications:\n\n* **WebPageTest**: An online web performance and security scanning tool for websites.\n* **Lighthouse**: Browser-based web assessment tool for performance, accessibility, security, and more.\n* **Check My Headers CLI app**: a handy command-line Node.js application to test a website's headers.\n","mdHtml":"

We looked at several tools to help us find security issues in web applications:

WebPageTest: An online web performance and security scanning tool for websites.
Lighthouse: Browser-based web assessment tool for performance, accessibility, security, and more.
Check My Headers CLI app: a handy command-line Node.js application to test a website’s headers.

\n","comp_id":"zEGauh7_fYbSDLYODn4RB"},"iteration":5,"hash":1,"saveVersion":6},{"type":"MarkdownEditor","mode":"edit","content":{"version":"2.0","text":"# Test yourself\n\nLet's see how well you know the tools we reviewed.","mdHtml":"

Test yourself

Let’s see how well you know the tools we reviewed.

\n","cursorPosition":{"line":0,"ch":0},"comp_id":"8ONESw0-7CL7dTSAAZ7QN"},"iteration":0,"hash":3,"saveVersion":2},{"type":"Quiz","mode":"edit","content":{"version":"1.0","title":"WebPageTest assessment","renderMode":"slide","dynamicQuestionsCount":null,"questions":[{"questionText":"WebPageTest helps with","questionOptions":[{"text":"Testing for performance issues in websites","correct":false,"explanation":{"mdText":"It's not the only thing WebPageTest does","mdHtml":"

It’s not the only thing WebPageTest does

\n"},"mdHtml":"

Testing for performance issues in websites

\n","id":"VjR7umWe6o5eqQZJnMcNU"},{"text":"Testing for security issues in websites","correct":false,"explanation":{"mdText":"It also tests for web performance metrics!","mdHtml":"

It also tests for web performance metrics!

\n"},"mdHtml":"

Testing for security issues in websites

\n","id":"X_fZbeJaiAVqH8YvKs28C"},{"text":"Testing for performance and security issues in websites and giving insights into how to fix them","correct":true,"explanation":{"mdText":"That's right, you got it!","mdHtml":"

That’s right, you got it!

\n"},"mdHtml":"

Testing for performance and security issues in websites and giving insights into how to fix them

\n","id":"Qyuq0XbOor5RHS8dxsB1E"}],"questionTextHtml":"

WebPageTest helps with

\n"},{"questionText":"What issues can I find with WebPageTest about my website security?","questionOptions":[{"text":"Security misconfiguration in my cloud hosting/platform","correct":false,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Security misconfiguration in my cloud hosting/platform

\n","id":"JekW85ooTwank--VE00nN"},{"text":"Detect if my website is running vulnerable JavaScript libraries","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Detect if my website is running vulnerable JavaScript libraries

\n","id":"zKovvVU6p6SBaVQyQSoRZ"},{"text":"Detect if my website responded with secure HTTP headers","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Detect if my website responded with secure HTTP headers

\n","id":"5tovxOlp62Yk-Avoa3Twz"},{"text":"Detect if my website's source code contains security vulnerabilities","correct":false,"explanation":{"mdText":"WebPageTest doesn't run tests on your own source code","mdHtml":"

WebPageTest doesn’t run tests on your own source code

\n"},"mdHtml":"

Detect if my website’s source code contains security vulnerabilities

\n","id":"EByVcomKAtzWPpdTweb2E"}],"multipleAnswers":true,"questionTextHtml":"

What issues can I find with WebPageTest about my website security?

\n"}],"titleMdHtml":"

WebPageTest assessment

\n","comp_id":"IddYWaKnBDtqZl8UVKsVs"},"iteration":1,"hash":4,"saveVersion":4},{"type":"Quiz","mode":"edit","content":{"version":"1.0","title":"Lighthouse","renderMode":"slide","dynamicQuestionsCount":null,"questions":[{"questionText":"Lighthouse is available via Chrome DevTools and helps with:","questionOptions":[{"text":"Finding performance issues","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Finding performance issues

\n"},{"text":"Finding security issues","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Finding security issues

\n"},{"text":"Finding SEO and Web Accessibility issues","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Finding SEO and Web Accessibility issues

\n"},{"text":"Finding issues with Progressive Web Apps","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Finding issues with Progressive Web Apps

\n"}],"questionTextHtml":"

Lighthouse is available via Chrome DevTools and helps with:

\n","multipleAnswers":true}],"titleMdHtml":"

Lighthouse

\n","comp_id":"eSHIhxt-omHBS2MyxzI1O"},"iteration":0,"hash":5,"saveVersion":3},{"type":"Quiz","mode":"edit","content":{"version":"1.0","title":"Keeping up with security","renderMode":"slide","dynamicQuestionsCount":null,"questions":[{"questionText":"What are some ways you can make sure you have no regressions in your security headers setup?","questionOptions":[{"text":"Run tools like `check-my-headers` in the Continuous Integration systems to fail the build if a regression happens","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

Run tools like check-my-headers in the Continuous Integration systems to fail the build if a regression happens

\n","id":"-aJN73cJnTUnJrEN2o-M3"},{"text":"In an End-to-End Continuous Integration setup, use the WebPageTest API to schedule tests of the website and ensure the security score is the same, or better","correct":true,"explanation":{"mdText":"","mdHtml":""},"mdHtml":"

In an End-to-End Continuous Integration setup, use the WebPageTest API to schedule tests of the website and ensure the security score is the same, or better

\n","id":"jriOmVjuRqc9clo28XGs6"},{"text":"Run a security penetration test after the web application is published","correct":false,"explanation":{"mdText":"This is a manual and rigorous process that takes time, very expensive and is hard to keep up repeating effectively. ","mdHtml":"

This is a manual and rigorous process that takes time, very expensive and is hard to keep up repeating effectively.

\n"},"mdHtml":"

Run a security penetration test after the web application is published

\n","id":"R_WC899WwKJY8ZzIawXx-"}],"questionTextHtml":"

What are some ways you can make sure you have no regressions in your security headers setup?

\n","multipleAnswers":true}],"titleMdHtml":"

Keeping up with security

\n","comp_id":"iIfHnrWRxpI7olswmlgFt"},"iteration":4,"hash":6,"saveVersion":3},{"type":"MarkdownEditor","mode":"edit","content":{"version":"2.0","text":"What's next?\n\nIf you'd like to keep security in check, you should automate the process to keep up with the scale of development. All of the above tools have APIs or integration points that you can connect to continuous integration systems.","mdHtml":"

What’s next?

If you’d like to keep security in check, you should automate the process to keep up with the scale of development. All of the above tools have APIs or integration points that you can connect to continuous integration systems.

\n","cursorPosition":86,"comp_id":"cQC09DsRVqQ5BpkdtteLV"},"iteration":3,"hash":2,"saveVersion":4}],"summary":{"tags":["security testing","build"],"titleUpdated":true,"description":"Explore how to test web application security headers effectively using tools like WebPageTest, Lighthouse, and Check My Headers CLI. Understand how these tools help identify security issues, and discover how to automate testing by integrating them with continuous integration systems to maintain ongoing security monitoring.","title":"Summary"},"darkModeContent":"$a5","content":"$a5"},"isPreviewLesson":true,"pageType":"collection_lesson","aiCoachVideoUrl":"https://youtu.be/kgl8y9J3O6c","collectionDetailsSSR":{"title":"Web Application Security: Understanding HTTP Security Headers","summary":"This course teaches you hands-on practical use of HTTP security headers as browser security controls to help secure web applications.\n\nFor each HTTP security header that can enhance your web application security, you'll learn what is the overall risk of not implementing it, and what does a proposed solution help with. Finally, you'll learn how to implement and configure the security header with Helmet, a popular and well maintained Node.js package on npm.","details":"","clos":["Establishing secure web applications using HTTP security headers","Understanding Content Security Policy","Configuring Node.js web applications securely","Learning how to test and monitor for security headers and vulnerable JavaScript libraries","Roadmap for next steps in web controls and security headers spec"],"key_outcomes":[],"arabic_available":false,"page_tags":{"6590089602793472":"lighthouse,testing,security","5904274870501376":"","4983703055892480":"helmet,node.js,npm package","5759911750270976":"monitoring,webapp,security","5342363586134016":"webpagetest,security testing,performance testing","5283608609685504":"http,hsts,ssl","5226340774051840":"XSS,Internet Explorer,IE8","5242468342693888":"referrer,referer","6165492524908544":"http headers,migration,security controls","4593038314700800":"security testing,build","6200548022812672":"content-security-policy,CSP,browser security control","4898570479075328":"x-frame-options,iframe","4875675728084992":"","5380882287296512":"security headers,browser","5066286703837184":"heroku,git,Node.js","6105410764275712":"privacy,web spec","6009839152005120":"https,ssl,certificate","4819951587164160":""},"collection_toc_is_enabled":true,"page_count":null,"docker":{"container":{"buildLogUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/build/log","imageName":"author-6369210000211968-collection-6214384662609920-rev-18-container-6489644251742208-hsts_brew_final","file":{"name":"HSTS_brew_final.tar.gz","size":3786},"buildStatusUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/build/status","metadata":{"sizeInBytes":3786},"id":-1,"tarballDownloadUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/download","rebuildImageUrl":"https://www.educative.io/api/author/6369210000211968/collection/6214384662609920/containers/6489644251742208/rebuild","buildStatus":"SUCCESS","track":false},"envs":[],"jobs":[{"key":"a_MUGE4NbOlaY1R80eVnq","name":"Chrome","inputFileName":"foo","runScript":"export DISPLAY=:1.0;\nuseradd -m chromeuser;\ngoogle-chrome --no-sandbox","jobType":"GUI","forceRelaunchOnRun":false,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"pNaYJBC234v_1Ik9zvHvR","name":"run_mal","inputFileName":"foo","runScript":"cp -r /usercode /Educative/nodejssecurity-headers-xframe-malicious","ports":"3000","startScript":"cp -r /usercode /Educative/nodejssecurity-headers-xframe-malicious\ncd /Educative/nodejssecurity-headers-xframe-innocent\nnohup npm start > /dev/null 2>&1 &\ncd /Educative/nodejssecurity-headers-xframe-malicious\nnpm start","jobType":"Live","https":false,"forceRelaunchOnRun":false,"runInLiveContainer":true},{"key":"B4OpzciNNzoW6GWc3kyco","name":"Chrome_hsts","inputFileName":"foo","runScript":"cd /Educative/nodejssecurity-headers-hsts/ \nnohup npm start > /dev/null 2>&1 &\nexport DISPLAY=:1.0;\ngoogle-chrome --no-sandbox","jobType":"GUI","forceRelaunchOnRun":false,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"dU2L1rfdPvznHh13PnpKj","name":"Chrome_hsts-mkcert","inputFileName":"foo","runScript":"nohup google-chrome --no-sandbox --disable-gpu --disable-software-rasterizer > /dev/null 2>&1 &\nsleep 3\npkill chrome\neval \"$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)\"\nmkcert -install\nclear\ntmux \\new-session \"cd /Educative/nodejssecurity-headers-hsts && npm start ; read\" \\; split-window \"export DISPLAY=:1.0 && google-chrome http://localhost:80 https://localhost:443 --no-sandbox --disable-gpu --disable-software-rasterizer; read\" \\; select-layout even-horizontal","jobType":"GUI","forceRelaunchOnRun":true,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"2w6T32N3QuP0T1PMoNOfc","name":"debug","inputFileName":"foo","runScript":"echo \"hi\"","ports":"3000","startScript":"echo \"hi\"","jobType":"Live","forceRelaunchOnRun":true,"runInLiveContainer":true},{"key":"Zg9nqvQXGGJuTurEHh_rc","name":"Chrome_hsts-mal","inputFileName":"foo","runScript":"cp -r /usercode/* /Educative/nodejssecurity-headers-xframe-malicious\ncd /Educative/nodejssecurity-headers-xframe-innocent\nnohup npm start > /dev/null 2>&1 &\ntmux \\new-session \"cd /Educative/nodejssecurity-headers-xframe-malicious && npm start ; read\" \\; split-window \"export DISPLAY=:1.0 && google-chrome http://localhost:3000 --no-sandbox --disable-gpu --disable-software-rasterize; read\" \\; select-layout even-horizontal","jobType":"GUI","forceRelaunchOnRun":true,"forceRelaunchOnCompChange":true,"runInLiveContainer":false},{"key":"voswksFkoJ7OwojQq8wP_","name":"Chrome_hsts-inn","inputFileName":"foo","runScript":"cp -r /usercode/* /Educative/nodejssecurity-headers-xframe-innocent\ncd /Educative/nodejssecurity-headers-xframe-innocent\nnohup npm start > /dev/null 2>&1 &\ntmux \\new-session \"cd /Educative/nodejssecurity-headers-xframe-malicious && npm start ; read\" \\; split-window \"export DISPLAY=:1.0 && google-chrome http://localhost:3000 http://localhost:3001 --no-sandbox --disable-gpu --disable-software-rasterize; read\" \\; select-layout even-horizontal","jobType":"GUI","forceRelaunchOnRun":true,"forceRelaunchOnCompChange":true,"runInLiveContainer":false}],"testRunners":[],"version":3,"loaded":true},"discounted_price":null,"cover_image_id":6163948040093696,"cover_image_metadata":"{\"width\":1024,\"height\":512,\"sizeInBytes\":49566,\"name\":\"Understanding HTTP Security Headers_ .png\"}","cover_image_serving_url":"/v2api/collection/6369210000211968/6214384662609920/image/6163948040093696","tags":["web security","http security headers","Security headers","X XSS protection","Chrome's lighthouse"],"intro_video_url":"","intro_video_thumbnail_url":"","aggregated_widget_stats":{"MarkdownEditor":68,"codeExerciseCount":0,"codeRunnableCount":1,"codeSnippetCount":31,"illustrations":19,"MxGraphWidget":1,"Code":1,"VNC":4,"Quiz":5,"Image":18,"SpoilerEditor":3,"StructuredQuiz":3,"TerminalWidget":1,"projects":0,"assessments":0,"SlateHTML":1,"cloudlabs":0},"default_themes":{"code_themes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}}},"api_keys":{"api_keys":[]},"skills":[],"testimonials":[],"licensing":null,"target_audience":"beginner","author_id":"6369210000211968","collection_id":"6214384662609920","approval_status":3005,"price":29,"is_private":false,"path_type":"regular","organization_id":null,"is_mini":false,"is_priced":true,"brief_summary":"Gain insights into HTTP security headers, learn their risks, explore solutions, and discover how to implement them using Helmet for enhanced web application security.","approval_update_time":"2021-10-04T17:42:20.560Z","rating_visibility":true,"update_last_published_on_homepage":true,"show_developed_by":true,"udata_files":[],"CodeThemes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"collection_type":"collection","adaptive_learning_mode":false,"HLOs_to_toc":{},"is_guide":false,"read_time":4200,"allow_logged_out_executions":false,"unique_live_widget_urls":false,"metadata_status":101,"palified_version":null},"pageSummarySSR":{"title":"Summary","description":"Explore how to test web application security headers effectively using tools like WebPageTest, Lighthouse, and Check My Headers CLI. Understand how these tools help identify security issues, and discover how to automate testing by integrating them with continuous integration systems to maintain ongoing security monitoring."},"adaptiveLearningConfigConstantSSR":0,"allowAllLessonPreview":true,"lockedBannerStatsSSR":{"b2cTrialStats":{"is_b2c_trial_active":true,"b2c_trial_active_duration":21,"b2c_trial_categories":"$da"},"b2cStatus":100,"learnerTags":"$db","workStats":2050,"interviewWorksStats":142,"inL2cStarterPack":false,"l2cWorkStats":46,"enableL2cStarterPackPaymentWidget":"false"},"pageTocSSR":"

Test yourself

","authorId":"6369210000211968","collectionId":"6214384662609920","pageId":"4593038314700800","serverConfigConstants":{"enable_notepad_prompt_ai":"true","use_redesigned_sandpack_widget":"true"},"codeFeatureFlags":{"enableCodeCodeTabRedesign":"3"},"meta":{"type":["Article","TechArticle"],"title":"Testing Web Application Security Headers with Effective Tools","name":"Web Application Security: Understanding HTTP Security Headers","description":"Learn to test web application security headers using WebPageTest, Lighthouse, and Check My Headers CLI for better security assessment.","image":"https://educative.io/api/collection/6369210000211968/6214384662609920/image/6163948040093696.png","isAccessibleForFree":true,"keywords":"$db","provider":"Educative","publisher":"Educative","id":"courses/web-application-security-http-headers/summary","author":"Liran Tal","educationalLevel":"beginner","noIndex":false,"isForcedNoIndex":false,"noFollow":false,"redirectInfo":{"isDeletedCollectionPageRedirectable":false},"page_titles":{"6590089602793472":"Chrome's Lighthouse","5904274870501376":"X Content Type Options","4983703055892480":"Helmet - a Node.js Package for HTTP Security Headers","5759911750270976":"Monitor your web application","5342363586134016":"WebPageTest","4875675728084992":"Check My Headers command-line application","5226340774051840":"X XSS Protection","5242468342693888":"Referer and Referrer Policy","6165492524908544":"Establish a CSP and Security Headers standard","4593038314700800":"Summary","6200548022812672":"Content Security Policy","4898570479075328":"X Frame Options","5283608609685504":"HTTP Strict Transport Security","5380882287296512":"Headers as Browser Security Controls","5066286703837184":"Requirements","6105410764275712":"Other browser security headers and controls","6009839152005120":"The State of HTTP Security","4819951587164160":"Educational resources"},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"deleted_course_lesson_redirect":{"author_id":null,"collection_id":null,"page_id":null,"redirect_url_slug":null},"metadata_status":101,"additional_course_alternatives":[],"structured_data_json":"{\"@context\":\"https://schema.org\",\"@type\":\"LearningResource\",\"name\":\"Testing Web Application Security Headers with Effective Tools\",\"description\":\"Learn to test web application security headers using WebPageTest, Lighthouse, and Check My Headers CLI for better security assessment.\",\"isAccessibleForFree\":\"True\",\"hasPart\":[{\"@type\":\"WebContent\",\"isAccessibleForFree\":\"True\",\"cssSelector\":\".ed-lesson-content\"}],\"provider\":{\"@type\":\"Organization\",\"name\":\"Educative\"}}"},"requestUrl":"/courses/web-application-security-http-headers/summary","requestUrlInfo":{"authorId":6369210000211968,"collectionId":6214384662609920,"pageId":4593038314700800,"courseUrlSlug":"web-application-security-http-headers","pageUrlSlug":"summary"},"isExternalContent":false}}],[["$","script",null,{"id":"generate-data","type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$dc"}}],["$","script",null,{"id":"structured-data","type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"LearningResource\",\"name\":\"Testing Web Application Security Headers with Effective Tools\",\"description\":\"Learn to test web application security headers using WebPageTest, Lighthouse, and Check My Headers CLI for better security assessment.\",\"isAccessibleForFree\":\"True\",\"hasPart\":[{\"@type\":\"WebContent\",\"isAccessibleForFree\":\"True\",\"cssSelector\":\".ed-lesson-content\"}],\"provider\":{\"@type\":\"Organization\",\"name\":\"Educative\"}}"}}],"$undefined"]]