Web Application Security

Authors: Scott Helme, Troy Hunt, Lars Klint, Peter Mosmans, Michael Perry, Andrew van der Stock

Web application security encompasses the security methods applied to websites, web applications, and web services. In this series you’ll learn how to develop and maintain secure... Read more


Begin with an overview of concepts fundamental to web application security.

Play by Play: Modern Web Security Patterns

by Lars Klint

Apr 18, 2018 / 1h 24m

1h 24m

Start Course

Play by Play is a series in which top technologists work through a problem in real time, unrehearsed, and unscripted. In this course, Play by Play: Modern Web Security Patterns, Troy Hunt and Lars Klint investigate current security web approaches and trends with real world examples, and then dive into how these incidents and errors can be fixed with easy to use techniques. Learn how subresource integrity checking can validate assets, content security policies in action and learn how to configure them, and get crucial knowledge on how important HTTPS is and some of the tools you can use to test your site. By the end of this course, you’ll have all the tools you need to learn about how you can secure your web assets, with the Modern Web Security Standards.

Table of contents
  1. Course Overview2m
  2. Current Issues of Web Development Security8m
  3. Subresource Integrity Checking and Content Security Policies33m
  4. Improving and Testing HTTPS34m
  5. Improving The Communication5m

What Every Developer Must Know About HTTPS

by Troy Hunt

Apr 12, 2017 / 3h 24m

3h 24m

Start Course

Securing the transport layer of any application talking over the web is becoming an absolutely essential attribute of modern software. However, HTTPS is frequently not implemented due to perceived (rather than actual) barriers and when it is, it's often done poorly. Not only that, but many modern browser features that can help streamline secure communications (and actually make it more efficient and resilient) are rarely used. In this course, What Every Developer Must Know About HTTPS, you will learn all about why you need HTTPS. First, you'll learn the many positive things that HTTPS does. Next, you'll learn about what many people perceive as barriers to HTTP adoption. Finally, you'll spend some time exploring some topics that go outside of the the basics of HTTPS. By the end of this course, you'll have a fundamental knowledge to both implement HTTPS properly from the outset and retrofit it to existing applications.

Table of contents
  1. Course Overview1m
  2. The HTTPS Value Proposition37m
  3. HTTPS Fundamentals28m
  4. Securing the Application44m
  5. Overcoming (Perceived) Barriers to HTTPS48m
  6. Beyond the Basics43m

Introduction to Browser Security Headers

by Troy Hunt

Aug 19, 2015 / 3h 4m

3h 4m

Start Course

Security is all about defense in depth: applying layer upon layer of security controls such that any one single failure does not lead to a compromise of the application. One of those layers is the browser itself, which is becoming increasingly intelligent when it comes to implementing defenses. Security headers are a way of telling the browser how a website may behave when it’s loaded into the client. They provide numerous defenses against a variety of attacks in ways that have not previously been possible with security controls that ran solely on the server. In this course, we’ll walk through a number of essential security headers that provide even greater levels of defense for web applications. We’ll look at how they’re intended to work, what attacks they protect against, and how you can easily implement them in your website.

Table of contents
  1. Understanding Browser Security Headers27m
  2. HTTP Strict Transport Security (HSTS)34m
  3. HTTP Public Key Pinning (HPKP)38m
  4. Content Security Policy (CSP)59m
  5. Tools for Working with Browser Headers25m

Modern Browser Security Reports

by Troy Hunt

Aug 3, 2018 / 57m


Start Course

In this course, Modern Browser Security Reports, Troy Hunt and Scott Helme discuss how browsers have evolved in recent years to provide a range of new security constructs and increasingly involve the ability to report back to site owners when something unexpected of a security nature occurs. Learn the features of content security policies, HTTP public key pinning, certificate authority authorization, certificate transparency, and cross-site scripting reporting. By the end of this course, you’ll be able to implement browser security reporting features on any website.

Table of contents
  1. Course Overview1m
  2. Importance of Browser Security Reporting2m
  3. Content Security Policies (CSP) Reporting17m
  4. HTTP Public Key Pinning Reporting10m
  5. Certificate Authority Authorization (CAA) Reporting4m
  6. Certificate Transparency (CT) Reporting10m
  7. Cross-site Scripting (XSS) Reporting9m
  8. Wrap-up1m


Next, explore the 2017 OWASP Top 10 web application risks, and learn how these risks are exploited and conversely how to prevent introducing them into your application.

Play by Play: OWASP Top 10 2017

by Troy Hunt

May 14, 2018 / 1h 12m

1h 12m

Start Course

Play by Play is a series in which top technologists work through a problem in real time, unrehearsed, and unscripted. In this course, Play by Play: OWASP Top 10 2017, Troy Hunt and Andrew van der Stock discuss the methodology used to construct the 2017 version of the OWASP Top 10. You’ll learn how the analysis of the data collected resulted in a reordering of the risks from the 2013 version, the inclusion of new risks, and the demotion of some risks that were included in previous versions. By the end of this course, you’ll be familiar with each risk and understand how best to use the 2017 OWASP Top 10.

Table of contents
  1. Course Overview2m
  2. Introduction7m
  3. The OWASP Top 10 201755m
  4. The Missing Risks and the Big Picture7m

Hack Yourself First: How to go on the Cyber-Offense

by Troy Hunt

Aug 30, 2013 / 9h 25m

9h 25m

Start Course

The prevalence of online attacks against websites has accelerated quickly in recent years and the same risks continue to be readily exploited. However, these are very often easily identified directly within the browser; it's just a matter of understanding the vulnerable patterns to look for. This course comes at security from the view of the attacker in that their entry point is typically the browser. They have a website they want to probe for security risks – this is how they go about it. This approach is more reflective of the real online threat than reviewing source code is and it empowers developers to begin immediately assessing their applications even when they're running in a live environment without access to the source. After all, that's what online attackers are doing.

Table of contents
  1. Introduction25m
  2. Transport Layer Protection1h 8m
  3. Cross Site Scripting (XSS)57m
  4. Cookies45m
  5. Internal Implementation Disclosure1h 9m
  6. Parameter Tampering1h 31m
  7. SQL Injection1h 16m
  8. Cross Site Attacks1h 0m
  9. Account Management1h 10m

Secure Coding: Preventing Insecure Deserialization

by Peter Mosmans

Mar 21, 2018 / 1h 2m

1h 2m

Start Course

As a developer, it is important to be familiar with common vulnerabilities that are often encountered in web application. Insecure deserialization is one of those vulnerabilities, ranking 8th in the OWASP Top 10 2017. In this course, Secure Coding: Preventing Insecure Deserialization, you will learn how to properly defend yourself against that particular vulnerability First, you will learn about the basics of serialization and deserialization, and about the various serialization file formats. Next, you will discover what insecure deserialization actually is, and how it can be exploited: In order to fix the problem, you need to know what can go wrong. Finally you will explore how to properly prevent insecure deserialization in any development language or framework. By the end of this course, you will have the secure coding skills and knowledge needed to prevent insecure deserialization vulnerabilities from creeping into your application.

Table of contents
  1. Course Overview1m
  2. What Is Serialization and Deserialization?23m
  3. Deserialization: How It Can Be Exploited8m
  4. Insecure Patterns for Deserialization 13m
  5. How to Securely Implement Deserialization15m

Secure Coding: Preventing Insufficient Logging and Monitoring

by Peter Mosmans

Jul 25, 2018 / 1h 23m

1h 23m

Start Course

It is extremely important for the security of your company to know what's currently happening to your application. This can be achieved by proper application logging and monitoring. In this course, Secure Coding: Preventing Insufficient Logging & Monitoring, you will learn what to think of when setting up logging and monitoring for applications. First, You will learn what is meant with the risk of insufficient logging and monitoring. Next, you'll explore what your application should and shouldn't log. Finally, you'll discover how to ensure and improve the quality of log files. When you're finished with this course, you'll have all the application logging and monitoring skills and knowledge needed to detect (future) security incidents on time.

Table of contents
  1. Course Overview1m
  2. Understanding Insufficient Logging and Monitoring24m
  3. Determining What Applications Should and Should Not Log22m
  4. Improving and Ensuring the Quality of Logfiles18m
  5. Applying an Effective Monitoring Strategy16m


Finally, dig into more advanced web application security concepts.

Secure Account Management Fundamentals

by Troy Hunt

Jan 3, 2015 / 7h 1m

7h 1m

Start Course

A fundamental component of many modern day applications is the ability to create and manage user accounts. So many of the services we use every day as consumers and build as developers depend on the ability for customers to register, login, and then perform tasks under their identity. However, every day we see a barrage of attacks against poorly implemented account management facilities. These range from brute force attacks against the login to the impersonation of authenticated users, to the cracking of breached passwords. Often, weaknesses in account management facilities are simply due to the developers not having thought through the potential risks from a hacker's mindset. This course demonstrates how attackers think and exploit these weaknesses. There are numerous high-profile precedents including the celebrity iCloud photo hack, GitHub account attacks and Dropbox credential disclosure. In some of these cases, oversights in secure account management practices left systems unnecessarily vulnerable whilst in others, good practices undoubtedly mitigated the scale of the damage caused. This course regularly refers to real world examples – both good and bad – as a means of illustrating risks and the effectiveness of security controls.

Table of contents
  1. Introduction17m
  2. Fundamental Security Concepts26m
  3. Password Storage32m
  4. Registration1h 11m
  5. Logon1h 2m
  6. Remember Me26m
  7. Account Details Change46m
  8. Password Reset50m
  9. Logoff33m
  10. Additional Considerations52m

Cryptography Fundamentals for Developers and Security Professionals

by Michael Perry

May 16, 2014 / 4h 14m

4h 14m

Start Course

The Java and .NET frameworks contain all the algorithms you need to keep your users' data secret from prying eyes. Web servers like Apache, Tomcat, and IIS, combined with tools like OpenSSL, keep your users secure online. But to use these tools correctly, and to avoid mistakes of the past, you must understand how cryptography works. Learn the math behind encryption and digital signatures. Study examples of how it has been misused, and explore the possibilities that cryptography enables in digital currency and collaboration.

Table of contents
  1. History of Cryptography36m
  2. Algorithms53m
  3. APIs36m
  4. Transport Layer Security22m
  5. Authentication and Authorization40m
  6. Case Studies28m
  7. Decentralized Systems37m

What you will learn

  • Web security patterns
  • HTTPS fundamentals
  • Browser security headers and reporting
  • 2017 OWASP Top 10 web application risks
  • Secure account management best practices
  • Cryptography fundamentals


This path is intended for developers interested in learning secure web application development practices and techniques and assumes viewers have a solid understanding of programming. This path is language-agnostic and suited for any web application developer regardless of your language of choice.

Offer Code *
Email * First name * Last name *
Country *

* Required field

Opt in for the latest promotions and events. You may unsubscribe at any time. Privacy Policy

By activating this benefit, you agree to abide by Pluralsight's terms of use and privacy policy.

I agree, activate benefit