Practice & Assessment
Test your understanding of The Attacker's Mindset and HTTP Security Basics
Multiple Choice Questions
5An attacker sends a request to your API with a custom Origin header: `Origin: evil.com`. Your server responds with `Access-Control-Allow-Origin: evil.com`. What is the security impact?
Which HTTP header directly prevents clickjacking attacks where an attacker embeds your page in a transparent iframe?
A CVE affecting a library you use has a CVSS score of 9.8 but requires the attacker to already have admin access to your application. How should you prioritize this?
What does `npm audit fix` do when it cannot resolve a vulnerability without a major version bump?
SSL stripping attacks are most effectively mitigated by which mechanism?
Coding Challenges
1Implement Secure HTTP Headers for an Express App
Given a bare Express application in `app.js` that currently serves a JSON API, configure Helmet.js to set all security headers. Then write a custom middleware that validates the incoming `Origin` header against an allowlist array `['https://app.example.com', 'https://staging.example.com']` and returns `403 Forbidden` for any request with an Origin not in the list. The middleware should allow requests with no Origin header (server-to-server). Write a test using supertest that verifies: (1) responses include `x-frame-options: DENY`, (2) an invalid Origin receives a 403, (3) a valid Origin receives a 200. Time estimate: 20–25 minutes.
Mini Project
Security Baseline Audit Report for an Express API
You are given a starter Express application (`starter-app.zip`) that has no security configuration. Using everything from this module: (1) Run npm audit and document all findings in a markdown table with CVE ID, severity, package, and your triage decision. (2) Install and configure Helmet.js with a custom CSP that allows scripts only from 'self' and styles from 'self' plus 'unsafe-inline'. (3) Configure CORS to only allow `https://frontend.example.com` with credentials. (4) Add a redirect from HTTP to HTTPS and configure HSTS. (5) Test your headers with a local curl script that verifies all six security headers are present in the response. Deliverable: the patched app.js, your audit report markdown, and your curl test script.