e:[["$","$L23",null,{"props":{"isB2BDomain":true,"lessonContent":{"components":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"6ebe1ae2-4c9f-489d-8a1f-f9070a31b803","text":"$24","mdHtml":"

Chances are that the application you’re working on right now depends on a plethora of open-source libraries: ExpressJS, a popular web framework for NodeJS, depends on 30 external libraries, and those libraries depend on external libraries, and those…we could go on forever. As a simple exercise, I tried to install a brand-new version ...

","cursorPosition":{"line":0,"ch":0}},"hash":"1","iteration":85,"saveVersion":1}],"summary":{"description":"In this lesson, we'll study a few open-source libraries that have dependencies with known vulnerabilities."},"darkModeContent":[{"type":"MarkdownEditor","mode":"view","content":{"version":"2.0","comp_id":"6ebe1ae2-4c9f-489d-8a1f-f9070a31b803","text":"$25","mdHtml":"

$ npm install express\n+ express@4.17.1\nadded 50 packages from 37 contributors and audited 127 packages in 9.072s\nfound 0 vulnerabilities\n

Just by installing the latest version of ExpressJS, I’ve included 50 libraries in my codebase. Is that inherently bad? Not at all, but it presents a security risk; the more code we write or use, the larger the attack surface for malicious users becomes.

One ...

","cursorPosition":{"line":0,"ch":0}},"hash":"1","iteration":85,"saveVersion":1}],"content":["$26"]},"isPreviewLesson":false,"numberOfFreeComponents":1,"pageType":"collection_lesson","aiCoachVideoUrl":"https://youtu.be/kgl8y9J3O6c","collectionDetailsSSR":{"title":"Web Application Security for the Everyday Software Engineer","summary":"There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.\n\nIn this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. \n\nIn the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.\n\nThis course will demystify web security, and help you stay on top of important security-related concerns in your web apps.","details":"","clos":[],"arabic_available":false,"page_tags":{"5836883515932672":"","5303123166887936":"","6291280486203392":"","6296457733734400":"","6025978913488896":"","5446620641492992":"","6143883248402432":"","5545136755834880":"","5462186039181312":"","6608873487073280":"","5139363647193088":"","5176747042537472":"","6515604514144256":"","6473472998899712":"","6335186628247552":"","5938972908847104":"","6264714335092736":"","6144502159900672":"","4983193536036864":"","4702623723683840":"","6596048379183104":"","4718279953219584":"","5691356803497984":"","5672559073820672":"","4620022811983872":"","4940158097948672":"","5982029519781888":"","4543080653914112":"","5385739899502592":"","5023963043332096":"","4529800178827264":"","4668418604138496":"","4771085502382080":"","6053230615199744":"","6191047056031744":"","6129176592515072":"","4948825543278592":"","5363057757782016":"","5335506213666816":"","5813296562176000":"","5923373688291328":"","5491207368081408":"","5326584224415744":"","5422214020071424":"","5857052682354688":"","6616272071557120":"","6750562528788480":"","6302367440961536":"","5602190329643008":"","6372192066469888":"","5198853675417600":"","5141283162030080":"","6270139180777472":"","4893635347742720":"","6588420517265408":"","6480161571602432":"","4999754929930240":"","6566529740046336":"","5670467793846272":"","4776636378513408":"","5249263270363136":"","6452296931082240":"","6136393496526848":"","6552289406877696":"","5906543254962176":"","6606146484830208":"","4973509626298368":"","6285054763335680":"","5212042983112704":"","4552528038461440":"","6059486704828416":"","4928257414660096":""},"collection_toc_is_enabled":true,"page_count":null,"docker":{"container":{"buildLogUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/log","buildStatusUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/status","tarballDownloadUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/download","id":-1,"imageName":"author-10370001-collection-4994778405011456-rev-31-container-5611703325687808-new","file":{"name":"new.tar.gz","size":2461334},"rebuildImageUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/rebuild","buildStatus":"SUCCESS","metadata":{"sizeInBytes":2461334},"track":false},"envs":[],"jobs":[{"runInLiveContainer":true,"name":"node","startScript":"npm start --prefix /usr/src/app","inputFileName":"foo","key":"813fa08b-f9aa-49b3-8456-798a4efa6e37","runScript":"cp /usercode/* /usr/src/app","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"cookies","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","key":"7bece526-9d47-48d5-b4be-f290146d6024","runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"hsts","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","key":"03e2c0a2-37f2-403c-8d78-1a2e1bea60da","runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"90a93256-44a0-4d84-a9fa-428a4bd90e60","runInLiveContainer":true,"name":"hsts-https","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","https":true,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7889"},{"key":"6dcb5825-5083-437b-aed6-ed2e8bbedbb5","runInLiveContainer":true,"name":"sri","startScript":"cp /usr/src/app/package*.json /usercode/sri && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode/sri && npm start","inputFileName":"foo","https":false,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"0f8d20ee-8c02-4277-81a9-94a9d5560321","runInLiveContainer":true,"name":"cookies-https","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7889"},{"key":"16ef4323-812b-449b-8d33-5c92a35a90fb","runInLiveContainer":true,"name":"clickjacking","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/clickjacking && cp -r /usr/src/app/imgs/* /usercode/clickjacking && cd /usercode/clickjacking && npm start ","inputFileName":"foo","https":false,"runScript":"echo \"Running code...\"","buildScript":"","ports":"7888"},{"key":"30f1abf3-5ca4-43e2-8494-aa9fc994a67d","runInLiveContainer":true,"name":"cors","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cors && cd /usercode && mkcert wasec.local && cd cors && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cors && cp /usercode/cors/index.js /usr/src/cors","buildScript":"","ports":"7888"}],"testRunners":[],"version":3,"loaded":true},"discounted_price":39,"cover_image_id":4572926192910336,"cover_image_metadata":"\"{\\\"width\\\":1024,\\\"height\\\":512,\\\"sizeInBytes\\\":35059,\\\"name\\\":\\\"Cover-3.png\\\"}\"","cover_image_serving_url":"/v2api/collection/10370001/4994778405011456/image/4572926192910336","tags":["Network security","SQL injection","Cross-site scripting","CSRF","cryptography"],"intro_video_url":"","intro_video_thumbnail_url":"","aggregated_widget_stats":{"codeRunnableCount":12,"illustrations":59,"MarkdownEditor":154,"codeExerciseCount":0,"codeSnippetCount":53,"MxGraphWidget":56,"TerminalWidget":1,"Columns":8,"Code":6,"Quiz":7,"RunJS":0,"WebpackBin":6,"projects":0,"assessments":0,"cloudlabs":0,"Sandpack":1},"default_themes":{"code_themes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}}},"api_keys":{"api_keys":[]},"skills":[],"testimonials":[],"licensing":null,"target_audience":"intermediate","author_id":"10370001","collection_id":"4994778405011456","approval_status":3005,"price":59,"is_private":false,"path_type":"regular","organization_id":null,"is_mini":false,"is_priced":true,"brief_summary":"Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.","approval_update_time":"2020-06-29T23:09:47.538Z","rating_visibility":true,"update_last_published_on_homepage":true,"show_developed_by":true,"udata_files":[],"CodeThemes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"collection_type":"collection","adaptive_learning_mode":false,"HLOs_to_toc":{},"is_guide":false,"read_time":14400,"allow_logged_out_executions":false,"unique_live_widget_urls":false,"metadata_status":101},"pageSummarySSR":{"title":"Dependencies With Known Vulnerabilities","description":"In this lesson, we'll study a few open-source libraries that have dependencies with known vulnerabilities."},"adaptiveLearningConfigConstantSSR":0,"allowAllLessonPreview":false,"lockedBannerStatsSSR":{"b2cTrialStats":{"is_b2c_trial_active":true,"b2c_trial_active_duration":21,"b2c_trial_categories":"$2a"},"b2cStatus":100,"learnerTags":"$2b","workStats":1840,"interviewWorksStats":121,"inL2cStarterPack":false,"l2cWorkStats":46,"enableL2cStarterPackPaymentWidget":"false"},"pageTocSSR":"","authorId":"10370001","collectionId":"4994778405011456","pageId":"5462186039181312","meta":{"type":["Article","TechArticle"],"title":"Dependencies With Known Vulnerabilities","name":"Web Application Security for the Everyday Software Engineer","description":"In this lesson, we'll study a few open-source libraries that have dependencies with known vulnerabilities.","image":"https://educative.io/api/collection/10370001/4994778405011456/image/4572926192910336.png","isAccessibleForFree":false,"keywords":"$2b","provider":"Educative","publisher":"Educative","id":"courses/web-application-security-everyday-software-engineer/dependencies-with-known-vulnerabilities","author":"Educative","educationalLevel":"intermediate","noIndex":true,"noFollow":true,"page_titles":{"5836883515932672":"Don't Panic: Some Services to The Rescue!","5303123166887936":"Cross Origin Resource Sharing","6291280486203392":"This Is The End","6296457733734400":"Quiz Yourself on HTTP","5446620641492992":"Mechanics: HTTP vs HTTPS vs H2","6143883248402432":"HTTPS Everywhere","5545136755834880":"Introduction HTTP Cookies","5462186039181312":"Dependencies With Known Vulnerabilities","6608873487073280":"Malicious Reporters","5139363647193088":"What's in a Program?","5176747042537472":"A Browser for Developers","6515604514144256":"Who This Course Is For?","5491207368081408":"Paranoid Mode: On","6473472998899712":"Introduction to Bug Bounty Programs","6335186628247552":"Notable DDoS Attacks","5938972908847104":"Denylisting vs. Allowlisting","6264714335092736":"Vendors","6144502159900672":"Formatting","4983193536036864":"Errata and Additional Content","4702623723683840":"OWASP","6596048379183104":"Session Invalidation in a Stateless Architecture","4718279953219584":"Hold The Door","5691356803497984":"How HTTP Works","5672559073820672":"What Does a Browser Do?","4620022811983872":"JavaScript Can't Touch This","4940158097948672":"Content-Security-Policy","6552289406877696":"My CDN Was Compromised!","4543080653914112":"Introduction to Situationals","5385739899502592":"Quiz Yourself on HTTP Cookies","5023963043332096":"In the Works","4529800178827264":"Have I Been Pwned?","4668418604138496":"Supercookies","4771085502382080":"Querying Your Database While Avoiding SQL Injections","6053230615199744":"X-Permitted-Cross-Domain-Policies & Referrer-Policy","6191047056031744":"Introduction to the Course","6129176592515072":"Quiz Yourself on Browsers","4948825543278592":"Why Would Anyone Bomb Me?","5363057757782016":"Encrypt it Or Forget it","5335506213666816":"Session and Persistent Cookies","5813296562176000":"Browser Basics","5923373688291328":"Hackers Welcome","4893635347742720":"X-XSS-Protection","5326584224415744":"Introduction to DDoS","5422214020071424":"Host-only","5857052682354688":"Expect-CT","6616272071557120":"X-Frame-Options","6750562528788480":"Quiz Yourself on Situationals","6302367440961536":"The reporting API","5602190329643008":"GET vs POST","6372192066469888":"Dealing With Researchers","5198853675417600":"HTTP Public Key Pinning","5141283162030080":"Introduction to HTTP","6270139180777472":"Quiz Yourself on DDoS Attacks","6025978913488896":"Logging Secrets","6588420517265408":"Security.txt","6480161571602432":"What's Behind a Cookie?","4999754929930240":"A Few Thank Yous","6566529740046336":"Feature-Policy","5670467793846272":"Quiz Yourself on Bug Bounty Programs","4776636378513408":"Never Trust The Client","5249263270363136":"SameSite: The CSRF Killer","6452296931082240":"HackerOne","6136393496526848":"Conclusion: What Would LeBron Do?","5982029519781888":"Alternatives","5906543254962176":"Low-priority and Delegated Domains","6606146484830208":"Quiz Yourself on HTTP Headers","4973509626298368":"Mechanics: Encryption","6285054763335680":"HTTP Strict Transport Security","5212042983112704":"Anatomy of a DDoS","4552528038461440":"Generating Session IDs","6059486704828416":"X-Content-Type-Options","4928257414660096":"The Slow Death of EV Certificates"},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"deleted_course_lesson_redirect":{"author_id":null,"collection_id":null,"page_id":null,"redirect_url_slug":null},"metadata_status":101,"additional_course_alternatives":[],"showTransitionPage":false},"requestUrl":"/courses/web-application-security-everyday-software-engineer/dependencies-with-known-vulnerabilities","requestUrlInfo":{"authorId":"10370001","collectionId":"4994778405011456","pageId":"5462186039181312","courseUrlSlug":"web-application-security-everyday-software-engineer","pageUrlSlug":"dependencies-with-known-vulnerabilities"},"isExternalContent":false}}],[["$","script",null,{"id":"generate-data","type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$2c"}}],false,"$undefined"]]

Deploy an API to Production Using Nginx

Dependencies With Known Vulnerabilities