Website Security Foundations

There’s no single day recently, without reports of a data leakage, a new software vulnerability or a new phishing campaign.

It’s enormously worrying, given the fact that increasingly large part of our lives are now lived digitally and online. We use computers and smartphones every day, we totally rely on online services and in effect we store much of our privacy in a digital form. Which is often not even on our devices. That’s why security has already become a huge and superimportant branch of IT industry. And it will only become more and more important.

There are hundreds, if not thousands of types of online attacks, aimed to:

• steal money or data

• support spam

• blackmail or damage reputation of people or organizations

• or simply to annoy people.

Even seemingly simple site can become an attack target, that’s why I believe that every web developer must know at least basics of web security, and of course use all security measures they know in their everyday work.

So this course is for all web developers: beginners, intermediates and self-taught amateurs, who want to build much more secure websites and become better web developers. I assume you have at least basic knowledge of HTML, CSS, JavaScript and PHP, and already some experience in web development.

For the back-end code examples I will use PHP just because it’s a starting point for many web developers, but I will explain how its native functions work, and you will be able to easily translate most of the code snippets to other languages.

Many of you will probably work on more advanced projects than static or WordPress-based websites: interactive sites, web or intranet applications, ecommerce platforms etc. The more complex and more popular software you’re going to work on, the more potential vulnerabilities and attack vectors, and the more reputational risk is at stake.

That’s why there will be quite a lot of information in this course: some that seem very basic, and some that may seem as a complicated and pretty advanced stuff. But I still consider all of this as absolutely necessary.

So, what’s in this course?

• Analysis and mitigation methods for common attacks: SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, Clickjacking, Brute Force, Path Traversal, Local File Inclusion, Remote File Inclusion

• Protecting files and folders on the server

• Server configuration and HTTP Headers improving security

• Writing secure front-end and back-end code

• Dealing with users’ passwords and sessions

• Encryption and hashing

• Validation and sanitization of incoming data

• WordPress security

We will really talk about fundamental stuff. And I hope this course will encourage you to discover more about the IT security, as preparing it encouraged me to dig deeper in certain areas.