Web Security Essentials

A Pragmatic Web Security course

This 2-day course will show you how hackers target your applications, how you can protect them, and which best practices you should be applying today!

Learn more

Whether you’re a veteran or new, everyone in the industry should attend this training. Either the hands on sessions will be an eye opener on the dangers of failing security and you'll learn how to avoid creating security holes, or it’ll bring you up to speed on latest HSTS policy or CSP headers and properly protect your application using the latest standards.

Thank you Philippe for our in-depth and valuable talks!

Maarten Segers — Consultant, AMPLEXOR

How are hackers coming after your applications?

Do you have any idea how many files you send to the user are modified in transit?

When a user logs in, do you know if they are impersonated by an attacker?

Do you know what an attacker can do with a single XSS vulnerability, regardless whether it's stored or reflected?

These questions are the reason you need to be in the Web Security Essentials course. This course will give you a clear view on the modern-day web security landscape. You will learn which countermeasures are available, along with their advantages and disadvantages. In the end, you will have gathered a set of current security best practices you can immediately start applying.

All previous participants highly recommend the course to others. Here are a few notes of what they had to say.

This 2-day training already makes a world of difference.

One-on-one discussions during the lab sessions help solve specific questions.

Great training, very up-to-date with information about the latest security technologies.

Whether you’re a veteran or new, everyone in the industry should attend this training.

Web Security Essentials

No courses are currently scheduled

Day 1

Registration and welcome coffee
The security model of the web
Lab session
The impact of HTTPS on an application
Coffee break
Lab session
The modern TLS certificate ecosystem
Lunch break
Secure password storage
Coffee break
Lab session
Authentication best practices
End of day 1

Day 2

Welcome coffee
Multi-factor authentication
Lab session
Coffee break
Implementing secure sessions
Lab session
Lunch break
Cross-Site Scripting (XSS)
Lab session
Coffee break
Content Security Policy (CSP)
Lab session
Overview of best practices
End of day 2

Overview of topics

Securing the communication channel

In the modern web, end users have gone mostly wireless, which is wonderful for usability, but quite worrisome for security. Compared to the wired days, both passive and active network attacks have become easy to execute, and difficult to detect. Today, simply deploying HTTPS is no longer sufficient. You need to move all of your content to HTTPS, and deploy additional security policies to establish a secure end-to-end communication channel. Topics covered include mixed content, HTTP Strict Transport Security (HSTS), certificate security, Certificate Authority Authorization (CAA), Certificate Transparency (CT) and public key pinning (PKP).

Strong and modern authentication

Billions of users have lost an online identity in a data breach, making their account details and personal information publicly available. And while the effects of a data breach of one application can already be devastating, it becomes a true nightmare if an attacker starts re-using stolen credentials to impersonate the user elsewhere. By protecting the user management flows in your application, you can effectively protect your user's identities, even in case of a potential breach. Topics covered include common authentication vulnerabilities, recent changes in best practices, brute force and credential stuffing attacks, best practices for multi-factor authentication.

Avoiding authorization pitfalls

Authorization bypass attacks are so common that they are covered by four items in the OWASP top 10. Coincidentally, various built-in session management mechanisms need additional tweaking to be secure. And because of the nature of the web, an attacker can launch such attacks from within the user's browser, thereby targeting internal systems on private networks, such as intranet applications. Avoiding authorization bypasses depends on making access control decisions with trusted data. In a web context, this means that everything coming from the client is considered untrusted. Topics covered include common authorization pitfalls, insecure direct object references, and challenges with sessions in modern frontend applications.

Modern defenses against Cross-Site Scripting

Cross-Site Scripting (XSS) vulnerabilities. Google has them. Facebook has them. Your application has them. XSS vulnerabilities are so severe, that bug bounty programs have turned it into a million dollar business. The main reason that XSS is so dangerous is that it gives an attacker full control over a user's context, allowing him to access private data, make requests to the backend, ... Tackling injection attacks is a challenging task, regardless whether it's a new or an existing application. Fortunately, by adhering to a few best practices, you can vastly improve the security of your application. Topics covered include stored and reflected XSS, DOM-based XSS, XSS in Angular applications, and Content Security Policy (CSP).

Security for developers

Philippe De Ryck

PhD in web security
Google Developer Expert

Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering.

During his Ph.D., Philippe gained a deep understanding of the web, its vulnerabilities and its security technologies. In this course, he channels this knowledge into practical and actional security advice for developers.

Lectures, demos and labs

In-depth lectures focus on focus on understanding why vulnerabilities exist, and how defenses work. Hands-on lab sessions, based on a custom-built training application, explore attacks and defenses in a realistic setting.

Actionable advice

Each module provides actionable advice to improve the security of your applications. Throughout the course, we build up a set of best practices. In the concluding module, we give an overview of best practices, and their priorities.

State-of-the-art technologies

As the web security landscape is in constant evolution, so is the Web Security Essentials course. Each module covers current best practices, but also looks forward to upcoming security features, currently being implemented across browsers.


Previous participants gave the Web Security Essentials course a 100% recommendation rate. The testimonials below tell you why you should attend this course.

Web security and application security are gaining more and more attention. As a developer, you know what's going on, but since these domains are very broad, it is hard to see the full picture. We were not sure whether the Web Security Essentials course was a good fit for our company.

Once the course started, these doubts vanished. The course is well-structured, and accessible for both frontend and backend developers. It changes the way you look at the development of web applications. Following theory sessions with hands-on labs creates an interesting combination. On top of that, you get a head start with the right tools to assess your own application. The gained knowledge and skills are directly applicable, and immediately shared with colleagues. This training has changed the way we work and affected the security of our product.

This training deserves a high recommendation. The course offers varied, up-to-date and detailed content. Security may still be low on the radar, but this 2-day training already makes a world of difference.

Sam Verschueren — Lead Software Engineer, Pridiktiv NV

Whether you’re a veteran or new, everyone in the industry should attend this training. Either the hands on sessions will be an eye opener on the dangers of failing security and you'll learn how to avoid creating security holes, or it’ll bring you up to speed on latest HSTS policy or CSP headers and properly protect your application using the latest standards.

Thank you Philippe for our in-depth and valuable talks!

Maarten Segers — Consultant, AMPLEXOR

As web architect, security is an important concern in the design and implementation of an application. However, I must admit, my knowledge on the subject was quite sparse as it was difficult to me to find a main reference on the subject.

For this reason I decided to join the Web Security Essentials training. The course allowed me to have a complete overview on the subject, understand the main security pitfalls, and use some of the most important tools to overcome them.

The awareness of the main security threats is key in my daily work with big companies and the course well addresses it via the presentations and the practical labs. I would recommend this training to all web developers and architects: the balance between the slide sessions and the practical labs made the course a joyful full-immersion in the security field.

Nicola Di Giorgio — Software Architect/CEO, PREGIOTEK sprl

Thanks for providing this course packed with very up-to-date information. I greatly appreciated the good balance between theory and hands-on labs which allowed me to gain a deeper understanding and new insights on web security measures to defend against current threats. I'm also really grateful for the excellent hand-outs, providing concise but complete information presented in a way that helped me a lot to better understand the more advanced web security mechanisms.

Stefan Eestermans — ICT Security Consultant, Optaris sprl

I was looking for information to get an idea of what kind of issues modern web applications face (or do not face), and how much an attacker needs to invest to launch various kinds of attacks. I do not believe such information can be obtained from high-level overview presentations. I was looking for a more hands-on approach, to get some experience with issues that managers often sweep under the rug as unimporant.

The course delivered on my expectations, not only by confirming that modern web applications face various threats, but also by clarifying that numerous threats depend on the level of freedom users have. Thanks to the Web Security Essentials course, I know have a better and more concrete understanding of what needs to happen to build a secure application.

Paul Valckenaers — Senior Researcher, UCCL

Practical information

What do I need to participate in the lab sessions?

You will receive a VirtualBox image containing all required software and tools at the start of the training. All you need to bring is a computer capable of running VirtualBox or vmWare Fusion VMs.

What course materials do I get?

Pragmatic Web Security offers high-quality course materials. The detailed slides used throughout the lectures are provided both in print and in PDF format. Documentation for the lab sessions is provided within the training environment.

Do you offer course certificates?

Yes, at the end of the course, you receive a personalized and signed certificate of completion.

What is the price?

The price for participating in the full course is € 1 149 excluding VAT. An Early Bird discount is available for a limited period.

If you are a startup, you may be eligible for the Startup Discount Plan (see below).

What is the Startup Discount Plan?

To encourage startups to take security seriously, the Startup Discount Plan offers a 50% discount on the price of the full course. This discount is available to any company that meets all of the following requirements:

  • Is privately held
  • Has been in business for no more than 3 years
  • Is engaged in development of a software-based product or service
  • Is an established business with a website and/or existing public references on the Internet
    Please note that any recently registered affiliates of existing business entities and business entities that were incorporated as a result of any legal/business process (merger, acquisition, etc.) do not qualify for this discount.

If you want to benefit from the Startup Discount Plan, please provide documentation to show that you meet these critera (e.g. Memorandum of Association). You can reach Pragmatic Web Security at registrations@pragmaticwebsecurity.com. After approval, you will receive a discount code which you can use to register for the course.

Where will the training take place?

The course takes place at the Faculty Club in Leuven, Belgium. The full address is Faculty Club, Groot Begijnhof 14, 3000 Leuven. The venue offers free parking, and is easily reachable by public transportation. For more information, check out the site of the venue.