1
Course Overview: Web Security Essentials
4m 17s
2
Simulate Man in the Middle Attacks and Inspect Network Traffic with Charles Proxy
3m 1s
3
Add https to a Localhost Express App to Prevent MITM Attacks
2m 33s
4
Redirect All HTTP Traffic to HTTPS in Express to Ensure All Responses are Secure
2m 19s
5
Set the Secure Cookie Flag to Ensure Cookies are Only Sent Over Secure Connections
1m 35s
6
Add HSTS Headers to Express Apps to Ensure All Requests are https Requests
4m 15s
7
Create a Proof of Concept Exploit of a CSRF Vulnerable Website
4m 1s
8
Mitigate CSRF Attacks by Setting the SameSite Cookie Flag in Express
2m 46s
9
Add CSRF Token Middleware to an Express Server to Mitigate CSRF
6m 12s
10
Make an XSS Payload to Read a Cookie from a Vulnerable Website
3m 50s
11
Set the httpOnly Cookie Flag in Express to Ensure Cookies are Inaccessible from JavaScript
1m 27s
12
Make an XSS Payload to Read document.body from a Vulnerable Website
53s
13
Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express
5m 30s
14
Read Document Content from a Vulnerable Website via Script Tag Injection in an XSS Payload
1m 11s
15
Add a Nonce Based script-src Header in Express to Only Allow Scripts that Match the Nonce
3m 7s
16
Prompt Users for Credentials from a Vulnerable Website via iframe Injection
1m 36s
17
Add a default-src CSP Header in Express to Enforce an Allowlist and Mitigate XSS
2m 15s

Redirect All HTTP Traffic to HTTPS in Express to Ensure All Responses are Secure

Mike Sherov

InstructorMike Sherov

Share this video with your friends

In the previous lesson, we disabled http in favor of https. In this lesson, we'll learn that the default protocol for web browser is http, and we therefore need to provide an http endpoint that redirects the browser to https. We'll do that by setting up a small express application whose sole responsibility is to redirect http urls to https. In doing so, we'll accidentally reintroduce the transmission of our session id over http, which we'll need to fix in our next lesson.

illustration for Web Security Essentials: MITM, CSRF, and XSS

Course

Web Security Essentials: MITM, CSRF, and XSS

Victor Hazbun

Victor Hazbun

~ 4 years ago

Thanks for sharing, but how would you setup production to work with SSL?

Mike Sherov

Mike Sherovinstructor

~ 4 years ago

Hi Victor,

The answer to that depends on a lot on your specific configuration, especially who you use as a hosting provider. Lots of services now offer "let's encrypt" integration by default.

Here's a guide from letsencrypt that should point you in the right direction: https://letsencrypt.org/getting-started/