top of page

Web Security for Developers

The web is a great software delivery platform, making your software available to users around the world with zero installation and easily deployed updates. Unfortunately, it also exposes you to an army of adversaries - some human, some bot - who have darker goals: to cause loss to your data or reputation, subvert your resources for their own gain or attack your user base. 

The challenges of making a secure website are very big today. Today's developers do not always know the security aspects of secure development. The problem is also to keep up with the rapid development. More security holes also arise with the trend that we are adding more and more functionality to browsers.  

The business risks and costs once an intrusion occurs are very large, and we developers have the responsibility to plan ahead and prevent this. Therefore, it is important that we have a good foundation to stand on when it comes to safety and risks. 

Life on the Internet is not so harmonious. Unfortunately, you are exposed around the clock to an army of enemies, some people, some robots, with darker targets. Can be to either cause loss of information or reputation, use your resources for personal gain or attack your user base.

What you will learn


  • The reality

  • What might an attacker want?

  • Social Engineering



  • What's wrong with HTTP?

  • Man-in-the-middle attacks

  • HTTP Strict Transport Security header



  • Certificate failures

  • Certificate pinning

  • Lifetime

  • Let's Encrypt



  • Character encoding

  • Unicode

  • Encoding (UTF-8, UTF-16...)


Cross Site Scripting

  • Stored XSS

  • Reflected XSS

  • DOM Based XSS

  • XSS Preventions


Content Security Policy

  • Headers and directives

  • CSP Reporting

  • CSP Nonce

  • CSP Validation


Cross site request forgery (CSRF)

  • CSRF Attack

  • CSRF Prevention


Securing your cookies

  • Cookie security

  • Same-site cookies


  • Origins

  • Same-Origin Policy

  • Cross-Origin Resource Sharing



  • SQL Injections

  • Blind injection attacks

  • File path injections


Authentication & Authorization

  • Securing the login form

  • Securing the session

  • Multi-factor authentication


Denial-of-Service (DoS) attacks

  • Network attacks

  • Application level attacks

  • XML DoS attacks

  • Decompression bombs


Password management

  • Secure password storage

  • Hashing

  • Salt and pepper

  • Password spraying


Information leakage

  • Error action

  • Source control leaks

  • Response header leakage

  • Search engine leakage


Securing our dependencies

  • Supply-chain attacks

  • Subresource Integrity


Hack your self

  • Hack your own systems

  • Tools

  • Approach

Target audience

This course is aimed at web developers.


You should have basic web development experience.

20 900 SEK ex moms

  • 29 - 30 May 2023

- The course is given remote or in classroom
- Contact us for upcoming courses
- If you are a team there is an opportunity for content adaptation based on your needs

Duration: 2 days, or 4 half days             

Level: Beginning

Language: English/Swedish                  

Course code: T175

Webbsäkerhet - intresseanmälan


Eye opening! There is a lot that needs to be protected! Tore is an educational course leader and I learned a lot.


"I think the line ""for developers"" is kind of misleading; Not in the way that it's not good for developers, but more that it's most probably a great course for many more roles, product managers, verifiers, project managers and so on."


Web security for developers provides many new valuable insights and should be a minimum for everyone in web development.


Incredibly good course and incredibly good teacher. Maybe a little too much (how can it now be something negative ... but sometimes it got a little full in the head and you started to mix things you learned). 3 days would not hurt. Sometimes a little stressful and not really time for discussions. But, would I like to opt out of any part? Answer No!


bottom of page