Transcript from the "Wrapping Up Web Security" Lesson
[00:00:28] But in either case, once a user lands on that page, the CSRF attack is carried out and by time they know what's happened, it's already too late. We built an example of clickjacking and positioned an eye frame over a submit button and tricked the user into interacting with an app that was not ours, just through basically CSS.
[00:00:48] We talked a little bit about third party assets and how we can use sub-resource integrity in order to ensure that assets that are not under our control, when they change we will be notified of those changes and we will sort of have to patch things up in order to take them into our app.
[00:01:13] We discussed resource tampering a little bit, and how things could happen on a CDN and how to insulate ourselves from that risk. And then finally we dealt with a couple different things that could happen with a man in the middle attack. And specifically how we can downgrade https connections into plain http and then talked about HSTS and public key pinning could be used to combat the basic version of that attack where you have an unencrypted session between the attacker and the target.
[00:01:46] And then public key pinning which would basically say for the half of users who would click through the warning saying this certificate doesn't look quite right. Now you'd be in a position where the user doesn't get to make that decision, and if there's a man in the middle that has forged a certificate they're not allowed to accept that and they're not allowed to carry on and perform that task.