This chapter has covered a lot of material. Still, it has only scratched the surface of web security. To truly raise the security bar, you should continue to do some research. There are some other common headers such as
X-Frame-Options that we did not have a chance to cover. Nonetheless, with the information you have gathered here, and with your self-ingenuity, you should be able to implement, for example, a
Content-Security-Policy header that works for your application. The first place I look for this kind of material is Mozilla's MDN website: https://developer.mozilla.org/en-US/. I highly recommend that you visit it to learn about web standards and practices.
So, what did we cover?
You should now be familiar with the concept of same-origin and how to develop a CORS policy to defeat both CSRF and XSS attacks. We also looked at three common schemes for authenticating users: API keys, session tokens, and JWT. And...