Web Application Security


Web Application Security

Authors: Lars Klint, Troy Hunt, Scott Helme, Andrew van der Stock, Peter Mosmans, Michael Perry

Web application security encompasses the security methods applied to websites, web applications, and web services. In this series you’ll learn how to develop and maintain secure... Read more

What you will learn

  • Web security patterns
  • HTTPS fundamentals
  • Browser security headers and reporting
  • 2017 OWASP Top 10 web application risks
  • Secure account management best practices
  • Cryptography fundamentals


This path is intended for developers interested in learning secure web application development practices and techniques and assumes viewers have a solid understanding of programming. This path is language-agnostic and suited for any web application developer regardless of your language of choice.


Begin with an overview of concepts fundamental to web application security.

Play by Play: Modern Web Security Patterns

by Lars Klint

Apr 18, 2018 / 1h 24m

1h 24m

Start Course

Play by Play is a series in which top technologists work through a problem in real time, unrehearsed, and unscripted. In this course, Play by Play: Modern Web Security Patterns, Troy Hunt and Lars Klint investigate current security web approaches and trends with real world examples, and then dive into how these incidents and errors can be fixed with easy to use techniques. Learn how subresource integrity checking can validate assets, content security policies in action and learn how to configure them, and get crucial knowledge on how important HTTPS is and some of the tools you can use to test your site. By the end of this course, you’ll have all the tools you need to learn about how you can secure your web assets, with the Modern Web Security Standards.

Table of contents
  1. Course Overview
  2. Current Issues of Web Development Security
  3. Subresource Integrity Checking and Content Security Policies
  4. Improving and Testing HTTPS
  5. Improving The Communication

What Every Developer Must Know About HTTPS

by Troy Hunt

Apr 12, 2017 / 3h 25m

3h 25m

Start Course

Securing the transport layer of any application talking over the web is becoming an absolutely essential attribute of modern software. However, HTTPS is frequently not implemented due to perceived (rather than actual) barriers and when it is, it's often done poorly. Not only that, but many modern browser features that can help streamline secure communications (and actually make it more efficient and resilient) are rarely used. In this course, What Every Developer Must Know About HTTPS, you will learn all about why you need HTTPS. First, you'll learn the many positive things that HTTPS does. Next, you'll learn about what many people perceive as barriers to HTTP adoption. Finally, you'll spend some time exploring some topics that go outside of the the basics of HTTPS. By the end of this course, you'll have a fundamental knowledge to both implement HTTPS properly from the outset and retrofit it to existing applications.

Table of contents
  1. Course Overview
  2. The HTTPS Value Proposition
  3. HTTPS Fundamentals
  4. Securing the Application
  5. Overcoming (Perceived) Barriers to HTTPS
  6. Beyond the Basics

Introduction to Browser Security Headers

by Troy Hunt

Aug 19, 2015 / 3h 5m

3h 5m

Start Course

Security is all about defense in depth: applying layer upon layer of security controls such that any one single failure does not lead to a compromise of the application. One of those layers is the browser itself, which is becoming increasingly intelligent when it comes to implementing defenses. Security headers are a way of telling the browser how a website may behave when it’s loaded into the client. They provide numerous defenses against a variety of attacks in ways that have not previously been possible with security controls that ran solely on the server. In this course, we’ll walk through a number of essential security headers that provide even greater levels of defense for web applications. We’ll look at how they’re intended to work, what attacks they protect against, and how you can easily implement them in your website.

Table of contents
  1. Understanding Browser Security Headers
  2. HTTP Strict Transport Security (HSTS)
  3. HTTP Public Key Pinning (HPKP)
  4. Content Security Policy (CSP)
  5. Tools for Working with Browser Headers

Modern Browser Security Reports

by Troy Hunt

Aug 3, 2018 / 58m


Start Course

In this course, Modern Browser Security Reports, Troy Hunt and Scott Helme discuss how browsers have evolved in recent years to provide a range of new security constructs and increasingly involve the ability to report back to site owners when something unexpected of a security nature occurs. Learn the features of content security policies, HTTP public key pinning, certificate authority authorization, certificate transparency, and cross-site scripting reporting. By the end of this course, you’ll be able to implement browser security reporting features on any website.

Table of contents
  1. Course Overview
  2. Importance of Browser Security Reporting
  3. Content Security Policies (CSP) Reporting
  4. HTTP Public Key Pinning Reporting
  5. Certificate Authority Authorization (CAA) Reporting
  6. Certificate Transparency (CT) Reporting
  7. Cross-site Scripting (XSS) Reporting
  8. Wrap-up


Next, explore the 2017 OWASP Top 10 web application risks, and learn how these risks are exploited and conversely how to prevent introducing them into your application.

Play by Play: OWASP Top 10 2017

by Troy Hunt

May 14, 2018 / 1h 12m

1h 12m

Start Course

Play by Play is a series in which top technologists work through a problem in real time, unrehearsed, and unscripted. In this course, Play by Play: OWASP Top 10 2017, Troy Hunt and Andrew van der Stock discuss the methodology used to construct the 2017 version of the OWASP Top 10. You’ll learn how the analysis of the data collected resulted in a reordering of the risks from the 2013 version, the inclusion of new risks, and the demotion of some risks that were included in previous versions. By the end of this course, you’ll be familiar with each risk and understand how best to use the 2017 OWASP Top 10.

Table of contents
  1. Course Overview
  2. Introduction
  3. The OWASP Top 10 2017
  4. The Missing Risks and the Big Picture

Hack Yourself First: How to go on the Cyber-Offense

by Troy Hunt

Aug 30, 2013 / 9h 26m

9h 26m

Start Course

The prevalence of online attacks against websites has accelerated quickly in recent years and the same risks continue to be readily exploited. However, these are very often easily identified directly within the browser; it's just a matter of understanding the vulnerable patterns to look for. This course comes at security from the view of the attacker in that their entry point is typically the browser. They have a website they want to probe for security risks – this is how they go about it. This approach is more reflective of the real online threat than reviewing source code is and it empowers developers to begin immediately assessing their applications even when they're running in a live environment without access to the source. After all, that's what online attackers are doing.

Table of contents
  1. Introduction
  2. Transport Layer Protection
  3. Cross Site Scripting (XSS)
  4. Cookies
  5. Internal Implementation Disclosure
  6. Parameter Tampering
  7. SQL Injection
  8. Cross Site Attacks
  9. Account Management

Secure Coding: Identifying and Mitigating XML External Entity (XXE) Vulnerabilities

by Peter Mosmans

Dec 18, 2018 / 1h 0m

1h 0m

Start Course

The OWASP Top 10 2017 contains a new entry; XML External Entities (XXE). As not many people know what this vulnerability is, it can be difficult to prevent against. In this course, Secure Coding: Identifying and Mitigating XML External Entity (XXE) Vulnerabilities, you will learn what this vulnerability is, how it ended up in the latest OWASP Top 10, how you can identify it in your code, and how to protect against it. First, you will discover the impact of a successful XML External Entity attack. Next, you will explore how to identify risky parts in your code base. Finally, you will learn how to mitigate against vulnerabilities. By the end of this course, you will be familiar with the risk that XML External Entities pose.

Table of contents
  1. Course Overview
  2. Understanding the Dangers of XML External Entities (XXE)
  3. Understanding XML External Entities (XXE) Injection and Expansion
  4. Identifying Vulnerable Parts Within Existing Code
  5. Mitigating XML External Entity (XXE) Vulnerabilities

Secure Coding: Preventing Insecure Deserialization

by Peter Mosmans

Mar 21, 2018 / 1h 3m

1h 3m

Start Course

As a developer, it is important to be familiar with common vulnerabilities that are often encountered in web application. Insecure deserialization is one of those vulnerabilities, ranking 8th in the OWASP Top 10 2017. In this course, Secure Coding: Preventing Insecure Deserialization, you will learn how to properly defend yourself against that particular vulnerability First, you will learn about the basics of serialization and deserialization, and about the various serialization file formats. Next, you will discover what insecure deserialization actually is, and how it can be exploited: In order to fix the problem, you need to know what can go wrong. Finally you will explore how to properly prevent insecure deserialization in any development language or framework. By the end of this course, you will have the secure coding skills and knowledge needed to prevent insecure deserialization vulnerabilities from creeping into your application.

Table of contents
  1. Course Overview
  2. What Is Serialization and Deserialization?
  3. Deserialization: How It Can Be Exploited
  4. Insecure Patterns for Deserialization
  5. How to Securely Implement Deserialization

Secure Coding: Using Components with Known Vulnerabilities

by Peter Mosmans

Feb 22, 2019 / 1h 14m

1h 14m

Start Course

Do you know if old components you are using are up to date, or contain published vulnerabilities? This course teaches you all about how to reduce the risk when using third-party components. First, you will learn about how to combine the abundance of open source software and component re-use. Next, you will discover how to achieve faster time to market with a plethora of languages, frameworks and package managers. Finally, you will learn about the patch management process. By the end of this course, you will know how to take a methodical approach towards reducing the risk, from installation and versioning all the way to virtual patching and software composition analysis.

Table of contents
  1. Course Overview
  2. Using Components with Known Vulnerabilities
  3. Managing Unsupported or Out-of-date Commercial Software
  4. Managing Bespoke Software That Uses Third Party Libraries
  5. Patch Management Process

Secure Coding: Preventing Insufficient Logging and Monitoring

by Peter Mosmans

Jul 25, 2018 / 1h 24m

1h 24m

Start Course

It is extremely important for the security of your company to know what's currently happening to your application. This can be achieved by proper application logging and monitoring. In this course, Secure Coding: Preventing Insufficient Logging & Monitoring, you will learn what to think of when setting up logging and monitoring for applications. First, You will learn what is meant with the risk of insufficient logging and monitoring. Next, you'll explore what your application should and shouldn't log. Finally, you'll discover how to ensure and improve the quality of log files. When you're finished with this course, you'll have all the application logging and monitoring skills and knowledge needed to detect (future) security incidents on time.

Table of contents
  1. Course Overview
  2. Understanding Insufficient Logging and Monitoring
  3. Determining What Applications Should and Should Not Log
  4. Improving and Ensuring the Quality of Logfiles
  5. Applying an Effective Monitoring Strategy


Finally, dig into more advanced web application security concepts.

Secure Account Management Fundamentals

by Troy Hunt

Jan 3, 2015 / 7h 1m

7h 1m

Start Course

A fundamental component of many modern day applications is the ability to create and manage user accounts. So many of the services we use every day as consumers and build as developers depend on the ability for customers to register, login, and then perform tasks under their identity. However, every day we see a barrage of attacks against poorly implemented account management facilities. These range from brute force attacks against the login to the impersonation of authenticated users, to the cracking of breached passwords. Often, weaknesses in account management facilities are simply due to the developers not having thought through the potential risks from a hacker's mindset. This course demonstrates how attackers think and exploit these weaknesses. There are numerous high-profile precedents including the celebrity iCloud photo hack, GitHub account attacks and Dropbox credential disclosure. In some of these cases, oversights in secure account management practices left systems unnecessarily vulnerable whilst in others, good practices undoubtedly mitigated the scale of the damage caused. This course regularly refers to real world examples – both good and bad – as a means of illustrating risks and the effectiveness of security controls.

Table of contents
  1. Introduction
  2. Fundamental Security Concepts
  3. Password Storage
  4. Registration
  5. Logon
  6. Remember Me
  7. Account Details Change
  8. Password Reset
  9. Logoff
  10. Additional Considerations

Cryptography Fundamentals for Developers and Security Professionals

by Michael Perry

May 16, 2014 / 4h 15m

4h 15m

Start Course

The Java and .NET frameworks contain all the algorithms you need to keep your users' data secret from prying eyes. Web servers like Apache, Tomcat, and IIS, combined with tools like OpenSSL, keep your users secure online. But to use these tools correctly, and to avoid mistakes of the past, you must understand how cryptography works. Learn the math behind encryption and digital signatures. Study examples of how it has been misused, and explore the possibilities that cryptography enables in digital currency and collaboration.

Table of contents
  1. History of Cryptography
  2. Algorithms
  3. APIs
  4. Transport Layer Security
  5. Authentication and Authorization
  6. Case Studies
  7. Decentralized Systems
Offer Code *
Email * First name * Last name *
Country *

* Required field

Opt in for the latest promotions and events. You may unsubscribe at any time. Privacy Policy

By providing my phone number to Pluralsight and toggling this feature on, I agree and acknowledge that Pluralsight may use that number to contact me for marketing purposes, including using autodialed or pre-recorded calls and text messages. I understand that consent is not required as a condition of purchase from Pluralsight.

By activating this benefit, you agree to abide by Pluralsight's terms of use and privacy policy.

I agree, activate benefit