Librarium
Settings

05 - Avoid Inferring the Response MIME Type with helmet.noSniff() - freeCodeCamp

Ganesh H
gaminglearningtechnologycampcertificationcodecontentcrossdatadevelopmentethicalfilteringfreecodecamphackerhackingheaderhelmethelmetjshelmetjs guidehelmetjs installhelmetjs tutorialhtmlhttpsinformationjavajavascriptjavascript 2020middlewaremimenodenpmnpm helmetjspolicyprogrammerprogrammingprojectprotectionscriptscriptingsecuritysignsitesniffingstricttransporttutorialtypeuserwalkthroughwebx-content-type-optionsxss

IMPORTANT: You must use Helmet version 2.3.0 to pass this test! Browsers use MIME Type Sniffing to try and parse a file by reading it's contents and making a guess of the file type. This can be exploited to run malicious scripts, and we can set a header using helmet's noSniff() middleware to disable this.

Link to Challenge : https://www.freecodecamp.org/learn/information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet-nosniff Written Guide: https://www.notion.so/ganeshh123/Avoid-Inferring-the-Response-MIME-Type-with-helmet-noSniff-e4c9340b0f5542b18ffe88e44f190d6a

Full Playlist for this course : https://www.youtube.com/playlist?list=PLhGp6N0DI_1TeEsQOdf1JmV8PnkQfEpQ4 All Writen Guides for this course : https://www.notion.so/ganeshh123/8ba82d9d1ff84c4583d6e9418ebe426b All My Tutorials can be found at : https://www.notion.so/Tutorials-Ganesh-H-293ea420d34a464f9a1907e0405b5f26

00:00 - Introduction 00:06 - What is Mime Type Sniffing? Content sniffing, also known as media type sniffing or MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it. https://en.wikipedia.org/wiki/Content_sniffing 01:00 - Danger with MIME Type Sniffing https://youtu.be/eq6R6dxRuiU 01:54 - X-Content-Type-Options Header The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This is a way to opt out of MIME type sniffing, or, in other words, to say that the MIME types are deliberately configured. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options 02:30 - Use Helmet version 2.3.0 02:54 - Setting the Header - helmet.noSniff() helmet.noSniff sets the X-Content-Type-Options header to nosniff. This mitigates MIME type sniffing which can cause security vulnerabilities. https://github.com/helmetjs/helmet/tree/master/middlewares/x-content-type-options 03:28 - Explanation of Solution

-————————————————————————————————————- HelmetJS is a type of middleware for Express-based applications that automatically sets HTTP headers to prevent sensitive information from unintentionally being passed between the server and client. While HelmetJS does not account for all situations, it does include support for common ones like Content Security Policy, XSS Filtering, and HTTP Strict Transport Security, among others. HelmetJS can be installed on an Express project from npm, after which each layer of protection can be configured to best fit the project.

freeCodeCamp (also referred to as “Free Code Camp”) is a non-profit organization that consists ... https://www.youtube.com/watch?v=3VhJH3zuZwc

2021-06-25
0.0 LBC
Copyrighted (contact publisher)

22476046 Bytes