07 - Ask Browsers to Access Your Site via HTTPS Only with helmet.hsts() - freeCodeCamp
IMPORTANT: You must use Helmet version 3.2.0 to pass this test!
We can protect our sites against protocol downgrate attacks by setting a header, which outright denies connections not seccured through HTTPS.
Link to Challenge :
https://www.freecodecamp.org/learn/information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet-hstsWritten Guide:
https://www.notion.so/ganeshh123/Ask-Browsers-to-Access-Your-Site-via-HTTPS-Only-with-helmet-hsts-ebdf3136256344bcb037ff021384dceaFull Playlist for this course :
https://www.youtube.com/playlist?list=PLhGp6N0DI_1TeEsQOdf1JmV8PnkQfEpQ4All Writen Guides for this course :
https://www.notion.so/ganeshh123/8ba82d9d1ff84c4583d6e9418ebe426bAll My Tutorials can be found at :
https://www.notion.so/Tutorials-Ganesh-H-293ea420d34a464f9a1907e0405b5f2600:00 - Introduction
00:03 - Protocol Downgrade Attack
A downgrade attack or version rollback attack is a form of cryptographic attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an older, lower-quality mode of operation (e.g. cleartext) that is typically provided for backward compatibility with older systems.
https://en.wikipedia.org/wiki/Downgrade_attack00:16 - Example
02:07 - Strict-Transport-Security Header
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security02:35 - Use Helmet version 3.2.0
03:50 - Setting the Header - helmet.hsts()
helmet.hsts sets the Strict-Transport-Security header which tells browsers to prefer HTTPS over insecure HTTP.
https://github.com/helmetjs/helmet/tree/master/middlewares/strict-transport-security05:23 - Testing
-————————————————————————————————————-
HelmetJS is a type of middleware for Express-based applications that automatically sets HTTP headers to prevent sensitive information from unintentionally being passed between the server and client. While HelmetJS does not account for all situations, it does include support for common ones like Content Security Policy, XSS Filtering, and HTTP Strict Transport Security, among others. HelmetJS can be installed on an Express project from npm, after which each layer of protection can be configured to best fit the project.
freeCodeCamp (also referred to as “Free Code Camp”) is a non-profit organization that consists of an interactive learning web platform, an online community forum, chat rooms, online publications and local organizations that intend to make learn
...
https://www.youtube.com/watch?v=rVtbNBte35s