Writing Secure Code for the Web

Cybersecurity Foundations and Mindset for the Web

This chapter introduces the fundamental concepts and terminology of web security. It explains why web security is important, how web applications are commonly attacked, and which core principles are used to protect them. The goal is to establish a shared vocabulary and security mindset that will be used throughout the rest of the course.

• Why Web Security Matters
• Threats, Vulnerabilities, and Risk
• Basic Security Principles
• How the Web Works from a Security Perspective
• Authentication and Authorization

Encryption, Hashing and Signing

How do you keep prying eyes away from your data? Encrypting data ensures that only the intended receiver of the data can understand it. So how does this work? We will look at symmetric keys versus asymmetric ones. We will also look at the most used encryption algorithms, what they offer, and how to use them correctly.

• What is Encryption?
• Understanding Symmetric Keys
• And what about Asymmetric Keys
• Hybrid Encryption
• Hashing
• Properly Store Passwords with Hashing and Salts
• What Are Digital Signatures?
• Encryption Using DPAPI
• Cryptographic Failures
• Secrets in appsettings.json
• LAB: Using DPAPI in Your Web Application

OWASP Top 10 as a Course Map

Before diving into architectures, we lock in the OWASP Top 10 as a navigation tool. Each later chapter will explicitly map problems and mitigations back to OWASP categories.

• How to Read the OWASP Top 10
• How Vulnerabilities Show Up Differently Per Architecture
• Where Mitigations Live: Browser, Server, Identity Provider, Database
• How We Will Reference OWASP Throughout the Course

Secure Communication with HTTPS

HTTPS encrypts communication between clients and servers, but how does it work, and how do you enable it for your application? In this chapter, we will look at the TLS handshake, how to get a certificate, and learn how to enforce HTTPS with HSTS.

• TLS Handshake
• Certificates
• Certification Authorities
• Getting a Certificate
• HTTP Strict Transport Security Header

Understanding and Protecting Cookies

This section introduces how cookies work and why they are critical to modern web authentication and session management. It explores common risks associated with improperly configured cookies and explains best practices for protecting them against attacks such as session hijacking.

• Understanding Cookies
• Protecting Your Cookies
• Authentication Failures
• LAB: Enable Secure Defaults for Cookies

Authentication & Authorization for Server-Rendered Web Apps

This module explains how authentication and authorization are implemented in traditional server-rendered web applications. We focus on browser-based security patterns, showing how users are authenticated, how identity information is stored and propagated, and how access to application functionality is enforced on the server. Emphasis is placed on secure defaults, real-world deployment scenarios, and avoiding common access control pitfalls.

• Ways of Authentication: Passwords, MFA, Passkeys, ...
• Cookies as the Session Mechanism (and Why)
• OpenID Connect Login Flow
• Claims-Based Identity in ASP.NET Core
• Authorization Policies vs Roles
• Broken Access Control
• LAB: Protecting Your Website

Forms and State: CSRF, Overposting, and Validation

Server-rendered forms introduce classic web risks: CSRF, mass assignment / overposting, and validation issues. You'll learn how these attacks work and how to prevent them.

• How CSRF Works
• Anti-Forgery Tokens and SameSite
• Overposting / Mass Assignment Risks
• Model Binding Pitfalls
• Input Validation vs Output Encoding
• LAB: Protecting Against CSRF and Overposting

Data Access in Server-Rendered Web Apps: SQL Injection and Safe Data Handling

When your application talks to a database, injection becomes a primary risk. We cover how injection happens in .NET, how to avoid it using parameterization, and what ORMs do and don't protect you from.

• SQL Injection Mechanics
• Parameterization
• EF Core: When It Mitigates and When It Doesn't
• Dynamic Queries and Dangerous Patterns
• LAB: Injecting SQL in a Vulnerable Website

Protecting APIs with OAuth2 and JWT Access Tokens

OAuth2 is the standard for delegated authorization. We focus on protecting ASP.NET Core APIs using Entra ID, validating tokens, and implementing authorization using scopes/claims.

• Why Cookies Don't Fit Every Client
• OAuth2 Overview (Scopes, Audiences, Clients)
• Access Tokens and Refresh Tokens
• JWT Validation Basics
• Scopes, Roles, and Claims in APIs
• LAB: Protecting and Consuming Your API

CORS and Cross-Origin Threats

Once JavaScript is involved, the browser becomes an active security boundary. CORS exists to control cross-origin access, but misconfiguration is extremely common and can expose APIs unintentionally.

• Same-Origin Policy Refresher
• What CORS Really Does (and What It Doesn't)
• Preflight Requests
• LAB: Configuring CORS

Script Injection: XSS and Content Security Policy

Script injection is one of the most damaging browser-based attacks. This module explains reflected/stored/DOM XSS, and focuses on practical mitigations: encoding, safer templates, and CSP.

• XSS Types and Attack Paths
• Output Encoding in Server-Rendered Views
• Safe Handling of Untrusted HTML
• Content Security Policy Fundamentals
• LAB: Protecting Against Script Injection

Securing Single-Page-Applications

Single-Page Applications have a different security profile than traditional server-rendered applications. Since SPAs run entirely in the browser, they cannot safely store secrets and rely on API calls for all backend interaction. This makes secure authentication and token handling essential. Modern SPA security therefore uses OAuth 2.0 with PKCE for public clients to prevent token interception, and often applies the Backend-for-Frontend (BFF) pattern to move token handling and sensitive logic to a trusted server, building on the security concepts already seen in server-rendered and API architectures.

• Use OAuth 2.0 with PKCE for Public Clients, Including SPAs and Mobile Applications
• Use a Backend-for-Frontend (BFF) Pattern to Handle Tokens and Sensitive Logic Server-Side
• Blazor: A Case-Study
• LAB: Securing a Blazor WASM Project using the BFF Pattern

AI and Cybersecurity: The Good, The Bad and the Ugly

Bots and AI systems can be extremely helpful by automating repetitive tasks, improving customer support, and assisting with analysis and decision-making. They increase efficiency, reduce human error, and make technology more accessible. At the same time, these technologies can be dangerous when misused. Automated bots can be abused for spam, fraud, or large-scale attacks, while advanced AI can convincingly mimic human behavior, making abuse harder to detect. Without proper safeguards, AI systems may also expose sensitive data or behave in unintended ways. Understanding both the benefits and the risks of bots and AI is essential to using them responsibly and securely.

• Traditional Bots vs AI-Powered Bots
• Automation Abuse and Detection
• Human Verification Mechanisms
• Prompt Injection
• Excessive Agency
• Insecure Output Handling
• LAB: Prompt Injection Challenge

Cybersecurity: The Bigger Picture

Web security is more than fixing vulnerabilities in code. Real protection comes from combining secure infrastructure, proven security frameworks, and continuous processes that reduce risk over time. This chapter zooms out to show how all the moving parts fit together: from network and cloud foundations to policies, monitoring, and incident response.

• Infrastructure Security: Networks, Cloud Configuration, Secrets, and Patching
• Identity & Access Management (IAM): Least Privilege, MFA, Session and Token Strategy
• Security Frameworks & Standards: OWASP ASVS, NIST, ISO 27001, CIS Benchmarks
• Defense in Depth: Layered Controls
• Logging, Monitoring & Detection
• Incident Response & Recovery: Playbooks, Backups, Tabletop Exercises, Post-Mortems
• Compliance & Privacy: GDPR, Data Classification, Retention, Encryption, and Access Controls