e:[["$","$L23",null,{"props":{"isB2BDomain":true,"lessonContent":{"components":[{"type":"MarkdownEditor","mode":"edit","content":{"version":"2.0","comp_id":"dba3404e-2bde-4d2e-913f-a69932f05261","text":"$24","mdHtml":"

As we’ve seen before, cookies that are issued by our servers can be tampered with, especially if they’re not HttpOnly and are accessible by JS code on your page.

At the same time, even if your cookies are HttpOnly, storing plaintext data in them is not ...

","cursorPosition":{"line":0,"ch":0}},"hash":"1","iteration":140,"saveVersion":2}],"summary":{"description":"In this lesson, we'll see how JWTs can be used to prevent clients from tampering with data.\n","titleUpdated":true},"darkModeContent":[{"type":"MarkdownEditor","mode":"edit","content":{"version":"2.0","comp_id":"dba3404e-2bde-4d2e-913f-a69932f05261","text":"$25","mdHtml":"$26","cursorPosition":{"line":0,"ch":0}},"hash":"1","iteration":140,"saveVersion":2}],"content":["$27"]},"isPreviewLesson":false,"numberOfFreeComponents":1,"pageType":"collection_lesson","aiCoachVideoUrl":"https://youtu.be/kgl8y9J3O6c","collectionDetailsSSR":{"title":"Web Application Security for the Everyday Software Engineer","summary":"There are more vulnerabilities than ever when creating applications for the web, so it is extremely important that software developers enforce security best practices such as, how to add protection through HTTP headers.\n\nIn this course, you will start off by learning how to prevent fraudulent SSL certificates from being served to clients, before moving on to how to defend against XSS attacks and clickjacking. \n\nIn the latter half of the course, you’ll learn security practices related to HTTP cookies, and tips around security tradeoffs that you’ll make in your day-to-day work. Towards the end, you’ll learn how to ward off DDoS attacks, which is crucial when your application scales.\n\nThis course will demystify web security, and help you stay on top of important security-related concerns in your web apps.","details":"","clos":[],"arabic_available":false,"page_tags":{"5836883515932672":"","5303123166887936":"","6291280486203392":"","6296457733734400":"","6025978913488896":"","5446620641492992":"","6143883248402432":"","5545136755834880":"","5462186039181312":"","6608873487073280":"","5139363647193088":"","5176747042537472":"","6515604514144256":"","6473472998899712":"","6335186628247552":"","5938972908847104":"","6264714335092736":"","6144502159900672":"","4983193536036864":"","4702623723683840":"","6596048379183104":"","4718279953219584":"","5691356803497984":"","5672559073820672":"","4620022811983872":"","4940158097948672":"","5982029519781888":"","4543080653914112":"","5385739899502592":"","5023963043332096":"","4529800178827264":"","4668418604138496":"","4771085502382080":"","6053230615199744":"","6191047056031744":"","6129176592515072":"","4948825543278592":"","5363057757782016":"","5335506213666816":"","5813296562176000":"","5923373688291328":"","5491207368081408":"","5326584224415744":"","5422214020071424":"","5857052682354688":"","6616272071557120":"","6750562528788480":"","6302367440961536":"","5602190329643008":"","6372192066469888":"","5198853675417600":"","5141283162030080":"","6270139180777472":"","4893635347742720":"","6588420517265408":"","6480161571602432":"","4999754929930240":"","6566529740046336":"","5670467793846272":"","4776636378513408":"","5249263270363136":"","6452296931082240":"","6136393496526848":"","6552289406877696":"","5906543254962176":"","6606146484830208":"","4973509626298368":"","6285054763335680":"","5212042983112704":"","4552528038461440":"","6059486704828416":"","4928257414660096":""},"collection_toc_is_enabled":true,"page_count":null,"docker":{"container":{"buildLogUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/log","buildStatusUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/build/status","tarballDownloadUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/download","id":-1,"imageName":"author-10370001-collection-4994778405011456-rev-31-container-5611703325687808-new","file":{"name":"new.tar.gz","size":2461334},"rebuildImageUrl":"https://www.educative.io/api/author/10370001/collection/4994778405011456/containers/5611703325687808/rebuild","buildStatus":"SUCCESS","metadata":{"sizeInBytes":2461334},"track":false},"envs":[],"jobs":[{"runInLiveContainer":true,"name":"node","startScript":"npm start --prefix /usr/src/app","inputFileName":"foo","key":"813fa08b-f9aa-49b3-8456-798a4efa6e37","runScript":"cp /usercode/* /usr/src/app","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"cookies","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","key":"7bece526-9d47-48d5-b4be-f290146d6024","runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7888"},{"runInLiveContainer":true,"name":"hsts","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","key":"03e2c0a2-37f2-403c-8d78-1a2e1bea60da","runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"90a93256-44a0-4d84-a9fa-428a4bd90e60","runInLiveContainer":true,"name":"hsts-https","startScript":"cp /usr/src/app/package*.json /usercode/hsts && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode && mkcert wasec.local && cd hsts && npm start","inputFileName":"foo","https":true,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7889"},{"key":"6dcb5825-5083-437b-aed6-ed2e8bbedbb5","runInLiveContainer":true,"name":"sri","startScript":"cp /usr/src/app/package*.json /usercode/sri && echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cd /usercode/sri && npm start","inputFileName":"foo","https":false,"runScript":"echo \"Updating code...\"","buildScript":"","ports":"7888"},{"key":"0f8d20ee-8c02-4277-81a9-94a9d5560321","runInLiveContainer":true,"name":"cookies-https","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cookies && cd /usercode && mkcert wasec.local && cd cookies && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cookies && cp /usercode/cookies/index.js /usr/src/cookies","buildScript":"","ports":"7889"},{"key":"16ef4323-812b-449b-8d33-5c92a35a90fb","runInLiveContainer":true,"name":"clickjacking","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/clickjacking && cp -r /usr/src/app/imgs/* /usercode/clickjacking && cd /usercode/clickjacking && npm start ","inputFileName":"foo","https":false,"runScript":"echo \"Running code...\"","buildScript":"","ports":"7888"},{"key":"30f1abf3-5ca4-43e2-8494-aa9fc994a67d","runInLiveContainer":true,"name":"cors","startScript":"echo \"127.0.0.1 wasec.local sub.wasec.local wasec2.local localhost\" > /etc/hosts && cp /usr/src/app/package*.json /usercode/cors && cd /usercode && mkcert wasec.local && cd cors && npm start ","inputFileName":"foo","https":true,"runScript":"mkdir /usr/src/cors && cp /usercode/cors/index.js /usr/src/cors","buildScript":"","ports":"7888"}],"testRunners":[],"version":3,"loaded":true},"discounted_price":39,"cover_image_id":4572926192910336,"cover_image_metadata":"\"{\\\"width\\\":1024,\\\"height\\\":512,\\\"sizeInBytes\\\":35059,\\\"name\\\":\\\"Cover-3.png\\\"}\"","cover_image_serving_url":"/v2api/collection/10370001/4994778405011456/image/4572926192910336","tags":["Network security","SQL injection","Cross-site scripting","CSRF","cryptography"],"intro_video_url":"","intro_video_thumbnail_url":"","aggregated_widget_stats":{"codeRunnableCount":12,"illustrations":59,"MarkdownEditor":154,"codeExerciseCount":0,"codeSnippetCount":53,"MxGraphWidget":56,"TerminalWidget":1,"Columns":8,"Code":6,"Quiz":7,"RunJS":0,"WebpackBin":6,"projects":0,"assessments":0,"cloudlabs":0,"Sandpack":1},"default_themes":{"code_themes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}}},"api_keys":{"api_keys":[]},"skills":[],"testimonials":[],"licensing":null,"target_audience":"intermediate","author_id":"10370001","collection_id":"4994778405011456","approval_status":3005,"price":59,"is_private":false,"path_type":"regular","organization_id":null,"is_mini":false,"is_priced":true,"brief_summary":"Gain insights into enforcing web app security best practices, such as HTTPS, defending against XSS and clickjacking, managing HTTP cookies, and warding off DDoS attacks.","approval_update_time":"2020-06-29T23:09:47.538Z","rating_visibility":true,"update_last_published_on_homepage":true,"show_developed_by":true,"udata_files":[],"CodeThemes":{"Code":"default","Markdown":"default","RunJS":"default","SPA":"default","isForced":{"Code":false,"Markdown":false,"RunJS":false,"SPA":false}},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"collection_type":"collection","adaptive_learning_mode":false,"HLOs_to_toc":{},"is_guide":false,"read_time":14400,"allow_logged_out_executions":false,"unique_live_widget_urls":false,"metadata_status":101},"pageSummarySSR":{"title":"Never Trust The Client","description":"In this lesson, we'll see how JWTs can be used to prevent clients from tampering with data."},"adaptiveLearningConfigConstantSSR":0,"allowAllLessonPreview":false,"lockedBannerStatsSSR":{"b2cTrialStats":{"is_b2c_trial_active":true,"b2c_trial_active_duration":21,"b2c_trial_categories":"$2b"},"b2cStatus":100,"learnerTags":"$2c","workStats":1840,"interviewWorksStats":121,"inL2cStarterPack":false,"l2cWorkStats":46,"enableL2cStarterPackPaymentWidget":"false"},"pageTocSSR":"*\n * [JSON Web Tokens](#json-web-tokens)\n * [ℹ️ Are JWTs safe?](#i️-are-jwts-safe)\n","authorId":"10370001","collectionId":"4994778405011456","pageId":"4776636378513408","meta":{"type":["Article","TechArticle"],"title":"Never Trust The Client","name":"Web Application Security for the Everyday Software Engineer","description":"In this lesson, we'll see how JWTs can be used to prevent clients from tampering with data.","image":"https://educative.io/api/collection/10370001/4994778405011456/image/4572926192910336.png","isAccessibleForFree":false,"keywords":"$2c","provider":"Educative","publisher":"Educative","id":"courses/web-application-security-everyday-software-engineer/never-trust-the-client","author":"Educative","educationalLevel":"intermediate","noIndex":true,"noFollow":true,"page_titles":{"5836883515932672":"Don't Panic: Some Services to The Rescue!","5303123166887936":"Cross Origin Resource Sharing","6291280486203392":"This Is The End","6296457733734400":"Quiz Yourself on HTTP","5446620641492992":"Mechanics: HTTP vs HTTPS vs H2","6143883248402432":"HTTPS Everywhere","5545136755834880":"Introduction HTTP Cookies","5462186039181312":"Dependencies With Known Vulnerabilities","6608873487073280":"Malicious Reporters","5139363647193088":"What's in a Program?","5176747042537472":"A Browser for Developers","6515604514144256":"Who This Course Is For?","5491207368081408":"Paranoid Mode: On","6473472998899712":"Introduction to Bug Bounty Programs","6335186628247552":"Notable DDoS Attacks","5938972908847104":"Denylisting vs. Allowlisting","6264714335092736":"Vendors","6144502159900672":"Formatting","4983193536036864":"Errata and Additional Content","4702623723683840":"OWASP","6596048379183104":"Session Invalidation in a Stateless Architecture","4718279953219584":"Hold The Door","5691356803497984":"How HTTP Works","5672559073820672":"What Does a Browser Do?","4620022811983872":"JavaScript Can't Touch This","4940158097948672":"Content-Security-Policy","6552289406877696":"My CDN Was Compromised!","4543080653914112":"Introduction to Situationals","5385739899502592":"Quiz Yourself on HTTP Cookies","5023963043332096":"In the Works","4529800178827264":"Have I Been Pwned?","4668418604138496":"Supercookies","4771085502382080":"Querying Your Database While Avoiding SQL Injections","6053230615199744":"X-Permitted-Cross-Domain-Policies & Referrer-Policy","6191047056031744":"Introduction to the Course","6129176592515072":"Quiz Yourself on Browsers","4948825543278592":"Why Would Anyone Bomb Me?","5363057757782016":"Encrypt it Or Forget it","5335506213666816":"Session and Persistent Cookies","5813296562176000":"Browser Basics","5923373688291328":"Hackers Welcome","4893635347742720":"X-XSS-Protection","5326584224415744":"Introduction to DDoS","5422214020071424":"Host-only","5857052682354688":"Expect-CT","6616272071557120":"X-Frame-Options","6750562528788480":"Quiz Yourself on Situationals","6302367440961536":"The reporting API","5602190329643008":"GET vs POST","6372192066469888":"Dealing With Researchers","5198853675417600":"HTTP Public Key Pinning","5141283162030080":"Introduction to HTTP","6270139180777472":"Quiz Yourself on DDoS Attacks","6025978913488896":"Logging Secrets","6588420517265408":"Security.txt","6480161571602432":"What's Behind a Cookie?","4999754929930240":"A Few Thank Yous","6566529740046336":"Feature-Policy","5670467793846272":"Quiz Yourself on Bug Bounty Programs","4776636378513408":"Never Trust The Client","5249263270363136":"SameSite: The CSRF Killer","6452296931082240":"HackerOne","6136393496526848":"Conclusion: What Would LeBron Do?","5982029519781888":"Alternatives","5906543254962176":"Low-priority and Delegated Domains","6606146484830208":"Quiz Yourself on HTTP Headers","4973509626298368":"Mechanics: Encryption","6285054763335680":"HTTP Strict Transport Security","5212042983112704":"Anatomy of a DDoS","4552528038461440":"Generating Session IDs","6059486704828416":"X-Content-Type-Options","4928257414660096":"The Slow Death of EV Certificates"},"is_marked_for_deletion":false,"transition_page_title":"","is_redirectable":false,"deleted_course_lesson_redirect":{"author_id":null,"collection_id":null,"page_id":null,"redirect_url_slug":null},"metadata_status":101,"additional_course_alternatives":[],"showTransitionPage":false},"requestUrl":"/courses/web-application-security-everyday-software-engineer/never-trust-the-client","requestUrlInfo":{"authorId":"10370001","collectionId":"4994778405011456","pageId":"4776636378513408","courseUrlSlug":"web-application-security-everyday-software-engineer","pageUrlSlug":"never-trust-the-client"},"isExternalContent":false}}],[["$","script",null,{"id":"generate-data","type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"$2d"}}],false,"$undefined"]]

Deploy an API to Production Using Nginx

Never Trust The Client