1
00:00:02,200 --> 00:00:05,300
Now that's it for this course section.

2
00:00:05,300 --> 00:00:08,080
We had a look at a couple of attack patterns,

3
00:00:08,080 --> 00:00:10,220
and a couple of vulnerabilities,

4
00:00:10,220 --> 00:00:12,840
and I did show you how these attacks work

5
00:00:12,840 --> 00:00:15,333
and how you can protect against them.

6
00:00:16,480 --> 00:00:19,940
The key takeaways you should have from this section

7
00:00:19,940 --> 00:00:22,710
is that you should never trust your users

8
00:00:22,710 --> 00:00:25,470
and especially not their input.

9
00:00:25,470 --> 00:00:28,690
You should sanitize or clean that input

10
00:00:28,690 --> 00:00:31,050
before you process or store it,

11
00:00:31,050 --> 00:00:32,873
or you should escape it.

12
00:00:33,960 --> 00:00:36,960
You should definitely only output escaped content

13
00:00:36,960 --> 00:00:39,950
unless you have a strong reason for doing the opposite.

14
00:00:39,950 --> 00:00:42,350
And then, sanitizing is an extra step

15
00:00:42,350 --> 00:00:44,800
you could do instead of escaping,

16
00:00:44,800 --> 00:00:48,223
if you need to output raw content for whatever reason.

17
00:00:49,080 --> 00:00:50,960
But, you should always be careful

18
00:00:50,960 --> 00:00:52,800
when working with user input

19
00:00:52,800 --> 00:00:55,620
and you should use third party libraries.

20
00:00:55,620 --> 00:00:58,480
As I showed it to you throughout the discourse section,

21
00:00:58,480 --> 00:01:00,480
to work with such input

22
00:01:00,480 --> 00:01:02,800
when it comes to rendering it on a page

23
00:01:02,800 --> 00:01:07,370
or when it comes to putting it into your SQL statements.

24
00:01:07,370 --> 00:01:09,560
regarding CSRF attacks,

25
00:01:09,560 --> 00:01:13,930
you should make sure that you add such a CSRF token into all

26
00:01:13,930 --> 00:01:16,330
your forms on your page.

27
00:01:16,330 --> 00:01:18,320
This token, as you learned,

28
00:01:18,320 --> 00:01:21,130
can be generated by third party packages.

29
00:01:21,130 --> 00:01:23,360
And it's only known to your server.

30
00:01:23,360 --> 00:01:26,690
It's only valid for one request response cycle,

31
00:01:26,690 --> 00:01:30,120
and it can't be guessed by our pages.

32
00:01:30,120 --> 00:01:33,620
The offer including such a token in all your forms and

33
00:01:33,620 --> 00:01:37,820
ensures that no requests to your server can be sent from

34
00:01:37,820 --> 00:01:40,950
faked sites that might look like your site,

35
00:01:40,950 --> 00:01:43,210
and that's therefor also something you should keep in

36
00:01:43,210 --> 00:01:47,020
mind, and something you will see in that main project,

37
00:01:47,020 --> 00:01:49,893
which we're going to build in a couple of sections,

38
00:01:51,020 --> 00:01:53,390
but with that, that's it for security,

39
00:01:53,390 --> 00:01:57,900
when it comes to user input and dealing with user input now

40
00:01:57,900 --> 00:02:00,638
to really round up this section,

41
00:02:00,638 --> 00:02:02,988
I got two other aspects you should be aware of.