Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

Hapi.js Security

Course Description

Hapi is not your typical server-side JavaScript framework. Hapi's creators put a lot of effort into making Hapi work for you instead of against you. In this course, we look at what that means for security. By the end of this course, you will have a thorough understanding of the Hapi-specific security aspects of building modern applications.

Learning Objectives

  • Illustrate how common vulnerabilities manifest themselves in Hapi applications
  • Prevent path traversal and XSS vulnerabilities in Hapi applications
  • Identify how Hapi supports authentication, session management, and authorization
  • Explain how OAuth 2.0 and OpenID Connect can be integrated into a Hapi application
  • Define security best practices for modern Hapi applications
  •  

Details

Duration: 1  hour 45 minutes

Level: Intermediate

Intended Audience:

  • Back-End Developers

Prerequisites:

Course Outline

Introduction
  • What Hapi Is All About

Security in the Hapi Framework

  • Hapi's Security Philosophy
  • Hapi Modules and Plugins
  • Hapi Hapi Joi Joi
  • Logging in Hapi

Configuring Security Headers

  • The Effect of Security Headers
  • Security Headers in Hapi
  • Overview of Current Best Practices

Serving Static Files

  • Serving Static Files
  • Path Traversal Vulnerabilities
  • Serving Directories with Inert
  • Custom Path Validation

Mitigating XSS in Hapi Views

  • Hapi and Templating Engines
  • Refresher on XSS
  • Overview of XSS Mitigations
  • Mitigating XSS in Handlebars Views
  • Mitigating XSS in React Views

User Authentication in Hapi

  • Integrated User Authentication
  • Delegating Authentication with OpenID Connect
  • Combining OpenID Connect with OAuth 2.0

Session Management in Hapi

  • Sessions in Modern Applications
  • Cookie-Based Sessions in Hapi
  • Securing Cookies
  • Securing Cookies Best Practices
  • Cookie Security in Hapi

Making Authentication Decisions

  • Enforcing Authorization
  • Authorization on Routes
  • Entities and Scopes
  • Implement an Internal Authorization Mechanism
  • Handling External Access Tokens

Conclusion

  • Hapi and Security
  • Security Headers
  • Serving Files
  • Mitigating XSS When Serving HTML
  • Authentication and Session Management
  • Authorization

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster