fix(learn): update helmet and bcrypt instructions so we can remove them from boilerplates (#39954)

* fix: update helmet and bcrypt lesson instructions

* fix: update instrutions I missed

* Update curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>

* Update curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>

Co-authored-by: Shaun Hamilton <51722130+Sky020@users.noreply.github.com>

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/ask-browsers-to-access-your-site-via-https-only-with-helmet.hsts.md

@@ -13,7 +13,7 @@ HTTP Strict Transport Security (HSTS) is a web security policy which helps to pr
 
 ## Instructions
 <section id='instructions'>
-Configure <code>helmet.hsts()</code> to use HTTPS for the next 90 days. Pass the config object <code>{maxAge: timeInSeconds, force: true}</code>. Repl.it already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Repl.it header, after inspecting it for testing.
+Configure <code>helmet.hsts()</code> to use HTTPS for the next 90 days. Pass the config object <code>{maxAge: timeInSeconds, force: true}</code>. You can create a variable `ninetyDaysInSeconds = 90*24*60*60;` to use for the `timeInSeconds`. Repl.it already has hsts enabled. To override its settings you need to set the field "force" to true in the config object. We will intercept and restore the Repl.it header, after inspecting it for testing.
 Note: Configuring HTTPS on a custom website requires the acquisition of a domain, and a SSL/TSL Certificate.
 </section>
 

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/avoid-inferring-the-response-mime-type-with-helmet.nosniff.md

@@ -7,13 +7,15 @@ forumTopicId: 301574
 
 ## Description
 <section id='description'>
+
 As a reminder, this project is being built upon the following starter project on <a href="https://repl.it/github/freeCodeCamp/boilerplate-infosec">Repl.it</a>, or cloned from <a href='https://github.com/freeCodeCamp/boilerplate-infosec/'>GitHub</a>.
-Browsers can use content or MIME sniffing to adapt to different datatypes coming from a response. They override the Content-Type headers to guess and process the data. While this can be convenient in some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-Options header to nosniff. This instructs the browser to not bypass the provided Content-Type.
+Browsers can use content or MIME sniffing to override response `Content-Type` headers to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some dangerous attacks. This middleware sets the X-Content-Type-Options header to `nosniff`, instructing the browser to not bypass the provided `Content-Type`.
 </section>
 
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.noSniff()` method on your server.
 </section>
 
 ## Tests

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-client-side-caching-with-helmet.nocache.md

@@ -14,6 +14,7 @@ If you are releasing an update for your website, and you want the users to alway
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.noCache()` method on your server.
 </section>
 
 ## Tests

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/disable-dns-prefetching-with-helmet.dnsprefetchcontrol.md

@@ -14,6 +14,7 @@ To improve performance, most browsers prefetch DNS records for the links in a pa
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.dnsPrefetchControl()` method on your server.
 </section>
 
 ## Tests

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/install-and-require-helmet.md

@@ -14,6 +14,8 @@ Helmet helps you secure your Express apps by setting various HTTP headers.
 ## Instructions
 <section id='instructions'>
 
+All your code for these lessons goes in the `myApp.js` file between the lines of code we have started you off with. Do not change or delete the code we have added for you.
+
 Install Helmet version `3.21.3`, then require it.
 </section>
 

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-cross-site-scripting-xss-attacks-with-helmet.xssfilter.md

@@ -11,13 +11,13 @@ As a reminder, this project is being built upon the following starter project on
 Cross-site scripting (XSS) is a frequent type of attack where malicious scripts are injected into vulnerable pages, with the purpose of stealing sensitive data like session cookies, or passwords.
 The basic rule to lower the risk of an XSS attack is simple: “Never trust user’s input”. As a developer you should always sanitize all the input coming from the outside. This includes data coming from forms, GET query urls, and even from POST bodies. Sanitizing means that you should find and encode the characters that may be dangerous e.g. <, >.
 Modern browsers can help mitigating the risk by adopting better software strategies. Often these are configurable via http headers.
-The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it.
-It still has limited support.
+The X-XSS-Protection HTTP header is a basic protection. The browser detects a potential injected script using a heuristic filter. If the header is enabled, the browser changes the script code, neutralizing it. It still has limited support.
 </section>
 
 ## Instructions
 <section id='instructions'>
 
+Use `helmet.xssFilter()` to sanitize input sent to your server.
 </section>
 
 ## Tests

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/prevent-ie-from-opening-untrusted-html-with-helmet.ienoopen.md

@@ -14,6 +14,7 @@ Some web applications will serve untrusted HTML for download. Some versions of I
 ## Instructions
 <section id='instructions'>
 
+Use the `helmet.ieNoOpen()` method on your server.
 </section>
 
 ## Tests

curriculum/challenges/english/09-information-security/information-security-with-helmetjs/understand-bcrypt-hashes.md

@@ -15,6 +15,9 @@ BCrypt hashes will always looks like <code>$2a$13$ZyprE5MRw2Q3WpNOGZWGbeG7ADUre1
 ## Instructions
 <section id='instructions'>
 To begin using BCrypt, add it as a dependency in your project and require it as 'bcrypt' in your server.
+
+Add all your code for these lessons in the `server.js` file between the code we have started you off with. Do not change or delete the code we have added for you.
+
 Submit your page when you think you've got it right.
 </section>