Introduction to the Course

This is a course about web application security. It attempts to summarize security best practices when building web applications.

With great power comes great responsibility

Today’s web platform allows developers to build products like push notifications, geolocation, and localStorage with technologies that were unimaginable just a few years ago.

These technologies come at a cost though. The spectrum of vulnerabilities is amplified, which means that there’s more we must know when developing for the web.

When iframes were introduced, everyone was quick to point out how great they were, as they easily allowed embedding content from different webpages. Few thought that the very same technology would serve as the basis for clickjacking, a vulnerability that is only possible thanks to iframes, an additional feature of the HTML standard.

As Wikipedia puts it:

Clickjacking is possible because [of] seemingly harmless features of HTML web pages.

Did you know that Cross-Site Request Forgery (CSRF) attacks are about to disappear? How you ask? It’s all thanks to browsers supporting SameSite cookies which will be discussed further on in the course.

An everchanging web landscape

The landscape surrounding the web is changing quickly. Having a good understanding of the platform and a keen eye on security is important for every developer. This is the goal of this course: to make sure we’ve raised our security awareness.

This course was written to demystify web security and make it easier for the everyday developer to understand important, security-related aspects of this universal platform.

Code

Some of the code provided will have to be run locally on your machine. It is advisable to clone this repo: https://github.com/odino/wasec, and then pull the latest code when running each example so you have the latest version of it.

---

In the next lesson, we’ll discuss who this course is for.