From 7ce85a8f0366be5e1eeca2998ef23d025ee111d3 Mon Sep 17 00:00:00 2001
From: Tom <20648924+moT01@users.noreply.github.com>
Date: Wed, 4 Nov 2020 21:11:36 -0600
Subject: [PATCH] fix(learn): update helmet and bcrypt instructions so we can
 remove them from boilerplates (#39954)

* fix: update helmet and bcrypt lesson instructions

* fix: update instrutions I missed

* Update curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>

* Update curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>
---
 ...ers-to-access-your-site-via-https-only-with-helmet.hsts.md | 2 +-
 ...id-inferring-the-response-mime-type-with-helmet.nosniff.md | 4 +++-
 .../disable-client-side-caching-with-helmet.nocache.md        | 1 +
 .../disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md | 1 +
 .../install-and-require-helmet.md                             | 2 ++
 ...-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md | 4 ++--
 ...ent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md | 1 +
 .../understand-bcrypt-hashes.md                               | 3 +++
 8 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md
index 8bee65804e..a2df3db39f 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md
@@ -13,7 +13,7 @@ HTTP Strict Transport Security (HSTS) is a web security policy which helps to pr
 
 ## Instructions
 <section id='instructions'>
-Configure <code>helmet.hsts()</code> to use HTTPS for the next 90 days. Pass the config object <code>{maxAge: timeInSeconds, force: true}</code>. Repl.it already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Repl.it header, after inspecting it for testing.
+Configure <code>helmet.hsts()</code> to use HTTPS for the next 90 days. Pass the config object <code>{maxAge: timeInSeconds, force: true}</code>. You can create a variable `ninetyDaysInSeconds = 90*24*60*60;` to use for the `timeInSeconds`. Repl.it already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Repl.it header, after inspecting it for testing.
 Note: Configuring HTTPS on a custom website requires the acquisition of a domain, and a SSL/TSL Certificate.
 </section>
 
diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet.nosniff.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet.nosniff.md
index 1a37af8b80..f5ff63476f 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet.nosniff.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet.nosniff.md
@@ -7,13 +7,15 @@ forumTopicId: 301574
 
 ## Description
 <section id='description'>
+
 As a reminder, this project is being built upon the following starter project on <a href="https://repl.it/github/freeCodeCamp/boilerplate-infosec">Repl.it</a>, or cloned from <a href='https://github.com/freeCodeCamp/boilerplate-infosec/'>GitHub</a>.
-Browsers can use content or MIME sniffing to adapt to different datatypes coming from a response. They override the Content-Type headers to guess and process the data. While this can be convenient in some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-Options header to nosniff. This instructs the browser to not bypass the provided Content-Type.
+Browsers can use content or MIME sniffing to override response `Content-Type` headers to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-Options header to `nosniff`, instructing the browser to not bypass the provided `Content-Type`.
 </section>
 
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.noSniff()` method on your server.
 </section>
 
 ## Tests
diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-client-side-caching-with-helmet.nocache.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-client-side-caching-with-helmet.nocache.md
index 326f10b2c6..4c8a2babd0 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-client-side-caching-with-helmet.nocache.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-client-side-caching-with-helmet.nocache.md
@@ -14,6 +14,7 @@ If you are releasing an update for your website, and you want the users to alway
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.noCache()` method on your server.
 </section>
 
 ## Tests
diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md
index 57c62b0606..1c784ff659 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md
@@ -14,6 +14,7 @@ To improve performance, most browsers prefetch DNS records for the links in a pa
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.dnsPrefetchControl()` method on your server.
 </section>
 
 ## Tests
diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md
index 893e59468f..0d907f70ee 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md
@@ -14,6 +14,8 @@ Helmet helps you secure your Express apps by setting various HTTP headers.
 ## Instructions
 <section id='instructions'>
 
+All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you.
+
 Install Helmet version `3.21.3`, then require it.
 </section>
 
diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md
index 09566a801f..f8ab3d43a4 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md
@@ -11,13 +11,13 @@ As a reminder, this project is being built upon the following starter project on
 Cross-site scripting (XSS) is a frequent type of attack where malicious scripts are injected into vulnerable pages, with the purpose of stealing sensitive data like session cookies, or passwords.
 The basic rule to lower the risk of an XSS attack is simple: “Never trust user’s input”. As a developer you should always sanitize all the input coming from the outside. This includes data coming from forms, GET query urls, and even from POST bodies. Sanitizing means that you should find and encode the characters that may be dangerous e.g. <, >.
 Modern browsers can help mitigating the risk by adopting better software strategies. Often these are configurable via http headers.
-The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it.
-It still has limited support.
+The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it. It still has limited support.
 </section>
 
 ## Instructions
 <section id='instructions'>
 
+Use `helmet.xssFilter()` to sanitize input sent to your server.
 </section>
 
 ## Tests
diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/prevent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/prevent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md
index 9e40c62069..34d4646b78 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/prevent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/prevent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md
@@ -14,6 +14,7 @@ Some web applications will serve untrusted HTML for download. Some versions of I
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.ieNoOpen()` method on your server.
 </section>
 
 ## Tests
diff --git a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md
index 39359d1505..105bef255a 100644
--- a/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md
+++ b/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md
@@ -15,6 +15,9 @@ BCrypt hashes will always looks like <code>$2a$13$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1
 ## Instructions
 <section id='instructions'>
 To begin using BCrypt, add it as a dependency in your project and require it as 'bcrypt' in your server.
+
+Add all your code for these lessons in the `server.js` file between the code we have started you off with. Do not change or delete the code we have added for you.
+
 Submit your page when you think you've got it right.
 </section>