Web Security Fundamentals for Developers
Master the core attack vectors, defenses, and secure coding patterns every web developer must know. You will build a hardened Express API with authentication, input validation, rate limiting, and security headers by the end of this course.
Course Content
6 modules · 30 lessonsThe Attacker's Mindset and HTTP Security Basics
Understand how attackers think and configure HTTP-level defenses before writing a single line of application code.
How web attacks work: the attacker's perspective
threat modeling, attack surface, trust boundaries, recon phase, exploit chain, defense in depth
What are HTTP security headers and why do they matter
Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
How HTTPS protects data in transit and when it does not
TLS handshake, certificate validation, mixed content, HSTS preload, SSL stripping, certificate pinning
CORS explained: what it prevents and what it does not
same-origin policy, CORS preflight, Access-Control headers, wildcard origin, credentials mode, CORS misconfiguration
How to read and understand a security vulnerability report (CVE)
CVE format, CVSS score, severity ratings, affected versions, remediation steps, NVD database, npm audit
Injection Attacks: SQL, Command, and LDAP
Identify and fix injection vulnerabilities in database queries, shell commands, and directory lookups before they reach production.
How SQL injection works and why parameterized queries prevent it
SQL injection mechanics, string concatenation vulnerability, parameterized queries, prepared statements, ORM safety, blind SQLi
How to prevent NoSQL injection in MongoDB queries
NoSQL injection mechanics, MongoDB operator injection, $where operator risks, express-mongo-sanitize, input type validation, Mongoose schema enforcement
What is OS command injection and how to avoid shell calls
command injection mechanics, child_process risks, shell metacharacters, execFile vs exec, avoiding shell, input allowlisting, shellescape
Path traversal attacks: how attackers escape your intended directory
path traversal mechanics, ../ sequences, URL decoding bypass, path.resolve and path.join, realpath validation, allowlist of accessible paths
Input validation vs output encoding: which to use when
input validation strategy, allowlist vs denylist, output encoding, context-aware escaping, joi schema validation, DOMPurify, HTML encoding
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
Understand the mechanics of XSS and CSRF, implement a Content Security Policy, and protect state-changing endpoints with CSRF tokens.
How stored XSS works and why output encoding stops it
stored XSS mechanics, reflected XSS, DOM XSS, script injection via HTML, output context, HTML entity encoding, textContent vs innerHTML
Content Security Policy: how to block XSS at the browser level
CSP directives, script-src nonce, hash-based CSP, unsafe-inline risks, CSP reporting, report-uri, strict CSP, CSP level 3
How CSRF attacks work: forging requests with victim's cookies
CSRF mechanics, same-site cookie attribute, SameSite=Strict, SameSite=Lax, CSRF tokens, idempotent GET requests, state-changing requests
Implementing CSRF tokens with the double-submit cookie pattern
CSRF token mechanics, synchronizer token pattern, double-submit cookie, csrf npm package, token validation, per-session vs per-request tokens
DOM-based XSS: how client-side JavaScript creates injection sinks
DOM XSS sources, DOM XSS sinks, location.hash, document.write, eval risks, jQuery html(), trusted types, sanitize-html, DOMPurify
Authentication and Session Security
Implement secure authentication from password hashing to JWT validation, and protect sessions against fixation, hijacking, and brute force.
How to hash passwords correctly: bcrypt, Argon2, and why MD5 is broken
password hashing vs encryption, salting, bcrypt cost factor, Argon2id, rainbow table attacks, GPU cracking, why MD5/SHA1 are wrong for passwords
How JWTs work and the security mistakes developers make with them
JWT structure, signing algorithms, HS256 vs RS256, none algorithm attack, algorithm confusion, expiry claims, JWT secret strength, token storage
Session fixation and session hijacking: how to secure session IDs
session fixation attack, session regeneration on login, session hijacking, secure and httpOnly cookie flags, session expiry, express-session configuration
Rate limiting and account lockout to stop brute force attacks
brute force mechanics, rate limiting strategy, express-rate-limit, IP-based vs account-based limiting, lockout vs throttling, CAPTCHA, credential stuffing
OAuth 2.0 and OpenID Connect: delegated authentication done right
OAuth 2.0 flows, authorization code flow, PKCE, state parameter, implicit flow risks, access tokens vs ID tokens, token validation, third-party library use
Access Control and Authorization
Design and implement role-based and attribute-based access control that prevents privilege escalation, IDOR, and mass assignment vulnerabilities.
What is IDOR and how to prevent insecure direct object references
IDOR mechanics, direct object references, ownership validation, indirect references, UUID vs sequential ID risks, authorization checks vs authentication
Role-based access control (RBAC): designing and implementing permission systems
RBAC model, roles vs permissions, middleware-based enforcement, least privilege principle, role assignment, permission escalation prevention, casbin
Mass assignment vulnerabilities: how to prevent field injection attacks
mass assignment mechanics, req.body spread, whitelist vs blacklist fields, Mongoose strict mode, DTO pattern, allowlist-based field filtering
Privilege escalation: how attackers gain higher permissions
vertical privilege escalation, horizontal privilege escalation, role parameter tampering, forced browsing, function-level access control, audit logging
Implementing middleware-based authorization in Express
authorization middleware chain, authentication vs authorization, centralized vs route-level enforcement, route guard pattern, middleware composition, error handling in auth middleware
Secrets Management, Dependencies, and Security in CI/CD
Prevent secrets from leaking, keep dependencies secure, and build security checks into your deployment pipeline before code reaches production.
How secrets leak and how to manage them with environment variables
secret types, git history leaks, .env files, dotenv library, .gitignore best practices, secret rotation, 12-factor app config, never hardcoding secrets
How to use a secrets manager: Vault, AWS Secrets Manager, and dotenv-vault
secrets manager concepts, static vs dynamic secrets, secret rotation, Vault basics, AWS Secrets Manager SDK, HashiCorp Vault Node.js, least privilege IAM
Supply chain attacks: securing your npm dependencies
supply chain attack mechanics, dependency confusion, typosquatting, npm audit, lockfiles, exact versions, package integrity checks, provenance attestations
Security scanning in CI/CD: SAST, DAST, and secret scanning
SAST vs DAST, static analysis tools, ESLint security plugin, Semgrep, secret scanning with git-secrets, OWASP ZAP for DAST, GitHub Actions security workflow, shift-left security
Docker and container security basics for developers
non-root container user, minimal base images, .dockerignore, read-only filesystem, environment variable injection, no secrets in Dockerfile, image scanning with Trivy