NEW! Curricular Projects • Test Your Skills and Get Expert Feedback
We independently test and review every course that we recommend.
Please support us by joining our mailing list, and recommending this guide to others.
Updated: January 5, 2024
Pluralsight
By Gavin Johnson-Lynn, Peter Mosmans, others
Great option for learning security best practices for enterprise-grade applications.
The path begins with several courses covering the OWASP Top 10 security risks and how to mitigate them in web applications. The second section covers goes deeper into how vulnerabilities are exploited, and how to prevent them.
Most of the courses in the path were published on or after 2022, so they are some of the most up-to-date video courses available.
As with other Pluralsight material, you get consistently high quality video training from industry practitioners. The courses are full of real-world insights and best practices.
If you're a fullstack JavaScript developer, you should consider taking the JWT Fundamentals course as well.
After taking the path, you may wish to go deeper into how to test applications for vulnerabilities, with the 14-hour Web App Pen Testing learning path.
App Academy Open
By Various Authors
Tremendous free resource for learning the foundations of web application security.
This course consists of readings, quizzes, exercises, and a guided project where you build an Express backend with authentication.
Each section contains quizzes to ensure you’ve grasped the material, along with hands-on practice executing an attack on vulnerable code, along with step by step instructions to mitigate the attack. This frequent practice is incredibly valuable for making your knowledge more tangible.
The topic coverage is just thorough enough to get you started working with these technologies. Often in the curriculum, the authors provide links to supplemental materials -- these are important for gaining a deep understanding of web application security. After taking this course, you'll have a solid understanding of some of the common application risks, how to mitigate them, and best practices for authenticating users in a full stack JavaScript application.
Our initial research involved spending hours reading hundreds of reviews of various course options, and perusing forums for recommendations and user preferences. From this research, we narrowed down to a list of 12 highly-rated candidate courses.
We graded the candidate courses against the following criteria:
From this thorough research and testing, we're confident this is the single best guide to Securing Web Apps courses available.
App Academy Open
By Various Authors
Tremendous free resource for learning the foundations of web application security.
This course consists of readings, quizzes, exercises, and a guided project where you build an Express backend with authentication.
Each section contains quizzes to ensure you’ve grasped the material, along with hands-on practice executing an attack on vulnerable code, along with step by step instructions to mitigate the attack. This frequent practice is incredibly valuable for making your knowledge more tangible.
The topic coverage is just thorough enough to get you started working with these technologies. Often in the curriculum, the authors provide links to supplemental materials -- these are important for gaining a deep understanding of web application security. After taking this course, you'll have a solid understanding of some of the common application risks, how to mitigate them, and best practices for authenticating users in a full stack JavaScript application.
Codecademy
By Various Authors
Solid coverage of the core web security concepts that fullstack web developers need to be aware of, with hands-on practice implementing security in Node, Express, and Postgres.
The course covers how to defend Node and Express applications against malicious attacks and improve user experiences using sessions, cookies, and password authentication.
The guided projects ask you to implement security measures in real-world scenarios, including password authentication for a dogwalking photo sharing app, and securing a Postgres database for a school.
In the final section, there's a fairly meaty solo project where you're tasked with securing a Node application for a bank against SQL Injection, XSS, and CSRF Attacks.
Frontend Masters
By Mike North
Solid video-based introduction to securing web applications, with some hands-on examples.
In this course, Mike North covers seven common client-side and server-side vulnerabilities and security attacks that every developer should know, and how to mitigate them.
Throughout the course, North gives students a chance to look through a demo application and practice diagnosing and mitigating security vulnerabilities. This grounds the topics in real-world situations as well as gives students a chance to practice skills rather than just watching explanations and demos.
Educative
By Alex Nadalin, Saurav Aggarwal, Liran Tal
Solid overview of the core essentials of web security for developers.
This path mainly covers policies and procedures that are important to know about as a fullstack software developer.
The course frequently links out to supplemental resources like the OWASP Cheat Sheet and OWASP Developers Guide, which will help you go beyond the theoretical and into the practical. Be sure to follow these links to learn more about these topics.
To become a well-rounded full-stack developer, it's important to integrate security considerations into your development process from the beginning, before it's too late. This includes secure coding practices, data encryption, access controls, and regular security testing.
To ensure the security of web applications as a full-stack web developer, focus on learning the following key topics:
By focusing on these topics, you'll be well-equipped to build web applications with strong security measures in place, protecting sensitive data and ensuring a safe user experience.
Before diving into web application security, it's helpful to have a solid foundation in web development and a good understanding of how web applications work. Here are some prerequisite knowledge and skills:
Web Development and Architecture: You should be comfortable with web development concepts, including HTML, CSS, and JavaScript. Understanding how web pages are structured, styled, and interacted with is essential. You should also understand the architecture of web applications, including the separation of concerns (front end vs. back end) and the role of APIs in modern web development.
HTTP Protocol: Familiarize yourself with the HTTP protocol and its request-response nature. Understand concepts like URLs, headers, and status codes.
Front-End Frameworks: It's helpful to have knowledge of a popular front-end framework like React, Angular, or Vue.js.
Back-End Development: You should have experience with a server-side programming language like Python, Node.js, or PHP.
Help us out by joining our email list to get notified when we release new guides, and recommending this guide to others.
Thanks for reading!