NEW! Curricular Projects • Test Your Skills and Get Expert Feedback
We independently test and review every course that we recommend.
Please support us by leaving us feedback, and recommending this guide to others.
Updated: August 25, 2023
Pluralsight
By Gavin Johnson-Lynn, Peter Mosmans, others
Great option for learning security best practices for enterprise-grade applications.
The path begins with several courses covering the OWASP Top 10 security risks and how to mitigate them in web applications. The second section covers goes deeper into how vulnerabilities are exploited, and how to prevent them.
Most of the courses in the path were published on or after 2022, so they are some of the most up-to-date video courses available.
As with other Pluralsight material, you get consistently high quality video training from industry practitioners. The courses are full of real-world insights and best practices.
If you're a fullstack JavaScript developer, you should consider taking the JWT Fundamentals course as well.
After taking the path, you may wish to go deeper into how to test applications for vulnerabilities, with the 14-hour Web App Pen Testing learning path.
Pluralsight advertises labs as part of the learning path, but they are located in a separate part of the site. You may wish to practice the skills from this path with Test a Web Application Using Python.
App Academy Open
By Various Authors
Tremendous free resource for learning the foundations of web application security.
This course consists of readings, quizzes, exercises, and a guided project where you build an Express backend with authentication.
Each section contains quizzes to ensure you’ve grasped the material, along with hands-on practice executing an attack on vulnerable code, along with step by step instructions to mitigate the attack. This frequent practice is incredibly valuable for making your knowledge more tangible.
The topic coverage is just thorough enough to get you started working with these technologies. Often in the curriculum, the authors provide links to supplemental materials -- these are important for gaining a deep understanding of web application security. After taking this course, you'll have a solid understanding of some of the common application risks, how to mitigate them, and best practices for authenticating users in a full stack JavaScript application.
It's important to be aware that App Academy Open's curriculum was written with the assumption that students would take the entire program sequentially. So if you jump into this section of the course, you'll notice the course references other sections and assumes a lot of prerequisite knowledge.
SQL Injection is covered elsewhere in the App Academy Open curriculum, so if you decide to take Web Application Security on App Academy Open, you'll definitely want to review that section.
The course doesn't really dive into using HTTPS, session management, and how to test for security vulnerabilities. You'll want to learn about these and other advanced security topics like handling file uploads and security compliance as well.
Codecademy
By Various Authors
Solid coverage of the core web security concepts that fullstack web developers need to be aware of, with hands-on practice implementing security in Node, Express, and Postgres.
The course covers how to defend Node and Express applications against malicious attacks and improve user experiences using sessions, cookies, and password authentication.
The guided projects ask you to implement security measures in real-world scenarios, including password authentication for a dogwalking photo sharing app, and securing a Postgres database for a school.
In the final section, there's a fairly meaty solo project where you're tasked with securing a Node application for a bank against SQL Injection, XSS, and CSRF Attacks.
The course includes an article on JWT Authentication, but doesn't include demonstration or practice. We suggest practicing implementation on the bank application security project.
Frontend Masters
By Mike North
Solid video-based introduction to securing web applications, with some hands-on examples.
In this course, Mike North covers seven common client-side and server-side vulnerabilities and security attacks that every developer should know, and how to mitigate them.
Throughout the course, North gives students a chance to look through a demo application and practice diagnosing and mitigating security vulnerabilities. This grounds the topics in real-world situations as well as gives students a chance to practice skills rather than just watching explanations and demos.
One area the course doesn’t cover is best practices for storing secure data, like user data and passwords. For that, you’ll want to look into some courseware on basic encryption.
We're hoping Frontend Masters will update this course to cover JWTs, as they archived a course on JWTs as it doesn't meet their standards.
Educative
By Alex Nadalin, Saurav Aggarwal, Liran Tal
Solid overview of the core essentials of web security for developers.
This path mainly covers policies and procedures that are important to know about as a fullstack software developer.
The course frequently links out to supplemental resources like the OWASP Cheat Sheet and OWASP Developers Guide, which will help you go beyond the theoretical and into the practical. Be sure to follow these links to learn more about these topics.
The information is good, but it's pretty high level documentation. As a result, it's not necessarily better or better presented than information you can find for free. The packaging of all this information into a course with knowledge-check quizzes is the most helpful part.
To become a well-rounded full-stack developer, it's important to integrate security considerations into your development process from the beginning, before it's too late. This includes secure coding practices, data encryption, access controls, and regular security testing.
To ensure the security of web applications as a full-stack web developer, focus on learning the following key topics:
By focusing on these topics, you'll be well-equipped to build web applications with strong security measures in place, protecting sensitive data and ensuring a safe user experience.
Before diving into web application security, it's helpful to have a solid foundation in web development and a good understanding of how web applications work. Here are some prerequisite knowledge and skills:
Web Development and Architecture: You should be comfortable with web development concepts, including HTML, CSS, and JavaScript. Understanding how web pages are structured, styled, and interacted with is essential. You should also understand the architecture of web applications, including the separation of concerns (front end vs. back end) and the role of APIs in modern web development.
HTTP Protocol: Familiarize yourself with the HTTP protocol and its request-response nature. Understand concepts like URLs, headers, and status codes.
Front-End Frameworks: It's helpful to have knowledge of a popular front-end framework like React, Angular, or Vue.js.
Back-End Development: You should have experience with a server-side programming language like Python, Node.js, or PHP.
Help us out by leaving us feedback, joining our email list to get notified when we release new guides, and recommending this guide to others.
Thanks for reading!
