Web Security Fundamentals

Learn how to secure your applications and end-users from online cyber threats. 

< Back to Courses

Course Details

Today’s internet is a very rough place, with robots, spies, states, hackers, and other evil entities constantly roaming around the web looking for vulnerable web applications to attack. Because of this, it is very important that every developer has the necessary skills to protect their applications.

What Will Developers Learn?

In this hands-on course, you will learn the fundamentals of how the web works, how to protect your applications, and how attacks are performed. It goes beyond the OWASP TOP-10 and gives you many concrete examples of how to fail and how to protect your applications.

This course is constantly improved as new security vulnerabilities, and best practices emerge.

Who is this Course For?

This course is designed for developers on all platforms, including .NET, Java, and PHP.

What are the Prerequisites?

You should have basic web development experience, including HTML, CSS, and JavaScript.

How Long is the Course?

The Web Security Fundamentals course is usually delivered over 2 full days. However, it can either be delivered over 2 full days or 4 half days.

Web Security Fundamentals Agenda

In this course, we will cover:

Introduction

  • Why do we need web security?
  • Protecting your users and their data
  • Social Engineering
  • Goals and focus

Character Encoding

  • The problem with characters
  • Character sets
  • Unicode
  • Encodings (UTF-8 and UTF-16)

HTTPS

  • The problem with HTTP
  • HTTPS (Protocols and Ciphers)
  • HTTP -> HTTPS Problem
  • HTTP Strict Transport Security Header

Certificates

  • Certificate Authority
  • Certificate lifetime
  • Certificate pinning
  • Mutual TLS (mTLS)
  • Certificate renewal
  • Certificate lifetime

Cross-Site Scripting (XSS)

  • Reflected XSS
  • Self XSS
  • Stored XSS
  • Data Sanitation
  • Mutation XSS

Content Security Policy (CSP)

  • Policies and directives
  • Creating policies
  • CSP Reporting
  • CSP in production
  • Strict CSP

Cross-Site Request Forgery (CSRF)

  • Understanding Cookies
  • The CSRF Attack
  • How to secure against CSRF

Securing Our Cookies

  • HttpOnly & Secure
  • Prefixed cookie names
  • CHIPS and partitioned cookies

SameSite Cookies

  • Why do we need it?
  • How to set
  • Strict, Lax, None

Securing our Dependencies

  • Typosquatting
  • Source control attacks
  • Buildserver
  • Subresource Integrity

Injection attacks

  • SQL Injection
  • Blind SQL injection
  • Code injection
  • XML injection attacks
  • File inclusion attacks

Securing the Session

  • Detecting stolen cookies
  • Finger printing
  • Cookie Confusion
  • Multi-Factor Authentication (MFA)
  • Mobile Authenticators

Denial-of-Service attacks

  • Attacking the application
  • Attacking XML
  • Attacking Regular Expressions

How do we make a secure web site?

  • Trust boundaries
  • Zero-trust
  • Hack yourself!
  • Honeypots

And much more…

Web Security Fundamentals

Article SKU:
T175

Duration:
2 days or 4 half days

Level:
Beginner

Language:
English, Swedish

Price:
Contact me for a price enquiry or to submit interest.

Web Security FAQ

Here are answers to common frequently asked questions about this workshop.

Do I need to install any software on my computer?

No, there’s no need to install any software. Each participant in this workshop will receive access to a Windows-based virtual machine, where all hands-on exercises will take place. You’ll only need to connect to this virtual machine via remote desktop, making it easy to participate without concerns about local restrictions on your computer or network. This setup allows us to create a consistent, ready-to-use environment for all participants.

Why do we use a remote machine instead of running the labs locally?

All exercises are performed in a dedicated Windows-based virtual machine to ensure a consistent and reliable training environment. When running labs locally, corporate firewalls, endpoint protection, proxies, or other security controls may block or interfere with the attack simulations used in the workshop. By using a controlled remote environment, we avoid these issues and ensure that all participants can complete the exercises without disruptions caused by local network restrictions or security policies.

How can I test if I can connect to the virtual machine?

If you’d like to verify your connection capabilities before the workshop, please contact us, and we’ll provide a test machine for you to try connecting to. Testing this in advance is recommended to ensure that your network allows outgoing remote desktop connections, so we don’t encounter any connectivity issues when the workshop starts.

What if I have a Mac or Linux computer?

If you’re using a Mac or Linux computer, you’ll need to be familiar with connecting to a Windows-based virtual machine via remote desktop before the workshop. Here are some recommended resources to help you set up a remote desktop connection:

Setting up ahead of time will ensure a smooth experience when connecting to the virtual machine during the workshop. Please note that we are unable to provide technical support for Mac or Linux setups.

What do I need to do before the workshop?

Feel free to send the instructor any specific questions you’d like covered in the class. Be sure to read the welcome letter you’ll receive before the workshop. A large monitor is recommended so that you can view the exercise document (provided as a PDF) alongside the remote machine while doing the exercises.

Is there any programming involved?

No, this workshop does not require programming. The focus is on understanding web application security, without tying them to a specific platform, implementation, or language..

What is included?

When taking the Web Security Fundamentals​ workshop, you’ll receive:

  • Comprehensive Course Material:
    Created by the instructor, the material is regularly updated to reflect the latest practices and standards.
  • Hands-On Exercises:
    Engage in practical exercises on a dedicated server, learning by doing.
  • Ongoing Support:
    During and after the workshop, access a private chat for additional resources, questions, and updates.
  • Workshop Materials:
    Receive a PDF of the presentation and exercises; onsite participants receive printed copies of the exercises.
  • Live and Interactive Sessions:
    Ask questions in real time via chat or audio and get immediate clarification. Includes live demonstrations by the instructor.

Web Security Fundamentals Training FAQs

Do you provide both on-site and remote training classes?

Yes, we provide both types of training.

Do you provide training in both Swedish and English?

Yes, both options are available. All our course materials are in English and we can teach the class in either Swedish or English.

Do you do half-day training?

When we run on-site, we usually do full-day classes. For remote training, we can provide options for both half and full days.

Do you do webinars and shorter talks?

Yes, please visit our Talks page for more details.

Do you provide customized courses?

Yes we do that. Contact me for more information.

TN Data at NDC Copenhagen 2025

May 27, 2025 No Comments

We’re pleased to announce that Tore Nestenius will be presenting at NDC Copenhagen Developers Festival this September, marking his first speaking engagement at this prestigious

Read More »
Swetugg - Top Authentication Fails in ASP.NET Core (and How to Avoid Them)

Swetugg Conference

January 12, 2025 No Comments

I’m excited to share that I’ll be speaking at Swetugg in Stockholm, taking place on February 4–5. Swetugg is a .NET conference focused on delivering

Read More »
Most Valuable Professionals

MVP Announcement

January 12, 2025 No Comments

I have been honored to be awarded with the title of Microsoft .NET Most Valuable Professional (MVP)! This recognition highlights my efforts within the .NET

Read More »