1 00:00:02,680 --> 00:00:05,310 The last security hole you should be aware of 2 00:00:05,350 --> 00:00:08,140 or the last security relevant concept you should be aware of 3 00:00:08,140 --> 00:00:13,820 to be precise is cross origin resource sharing and I did talk about this earlier already. 4 00:00:13,870 --> 00:00:17,260 It's not really an attack pattern but a security concept. 5 00:00:17,260 --> 00:00:24,010 The idea here is that requests from your browser side application can only be made to a backend, so to 6 00:00:24,010 --> 00:00:29,320 a server side that runs on the same server, so that the HTML page and the script that executes there 7 00:00:29,470 --> 00:00:31,300 was served by the same server 8 00:00:31,330 --> 00:00:32,980 you're trying to send the request to, 9 00:00:33,010 --> 00:00:37,000 that's how browsers by default work with your pages, 10 00:00:37,000 --> 00:00:39,280 this is what they allow by default. 11 00:00:39,280 --> 00:00:45,100 Now in modern web applications, you often need to send requests to other servers though, so a server which 12 00:00:45,100 --> 00:00:51,050 did not serve the running HTML and Javascript code but which only provides some API endpoints, 13 00:00:51,070 --> 00:00:54,880 some URLs to which you can send data, to store data or to fetch data, 14 00:00:54,880 --> 00:00:58,570 this is something we had to look at in the Node.js module. 15 00:00:58,570 --> 00:01:04,960 Then you can control via server side headers and only via server side response headers 16 00:01:04,970 --> 00:01:11,020 whether this request, this incoming request is allowed and you send back a valid response or not. 17 00:01:11,020 --> 00:01:16,420 So this is a concept where by default browsers would not allow you to reach out to some other server 18 00:01:16,840 --> 00:01:20,380 but with the right server side headers, you can override this. 19 00:01:20,470 --> 00:01:25,690 So it's a concept which in the end should secure servers so that not everyone can access their resources, 20 00:01:25,690 --> 00:01:31,360 not every page can access their resources at least but with the right headers on the server side, you can 21 00:01:31,360 --> 00:01:35,230 allow this and an example for that actually would be Javascript modules. 22 00:01:35,290 --> 00:01:42,260 This built-in Javascript concept also required a development server if you remember and it required 23 00:01:42,260 --> 00:01:48,310 a development server because Javascript modules, so Javascript files you import into another file 24 00:01:48,850 --> 00:01:51,700 are only allowed if they're from the same server. 25 00:01:51,820 --> 00:01:57,790 So I'm only used to importing another Javascript file which sits on the same server which is served by the 26 00:01:57,790 --> 00:01:58,890 same server 27 00:01:58,930 --> 00:02:03,790 and here we have no real way of changing this because that's a built-in security mechanism by browsers 28 00:02:04,000 --> 00:02:06,970 specifically for this Javascript feature. 29 00:02:06,970 --> 00:02:10,600 Another example though would be the Node.js application we worked on. 30 00:02:10,840 --> 00:02:17,320 There, we have our different routes which we handle on the backend, like add location and the request 31 00:02:17,320 --> 00:02:22,930 which is sent there is not sent from some page that is served by the same server, it's sent by a page 32 00:02:22,930 --> 00:02:28,810 that runs on a different domain, on a different server and still it works because here, I set these right 33 00:02:29,020 --> 00:02:31,810 CORS headers which tell the browser 34 00:02:31,810 --> 00:02:37,660 that's okay, this page which sends the request is allowed to get the data and therefore the browser won't 35 00:02:37,660 --> 00:02:38,520 block it. 36 00:02:38,710 --> 00:02:46,270 So it's a security mechanism which you can use or disable or configure to your needs based on your requirements. 37 00:02:46,270 --> 00:02:48,330 That's the idea behind CORS, 38 00:02:48,340 --> 00:02:50,890 this cross origin resource sharing concept.