Web Security for Builders
Security is not a feature you add at the end — it is the set of decisions you make while building. This course covers the attacks that actually affect web applications in production: SQL injection, XSS, broken authentication, insecure direct object references, and more. You will understand how each attack works, why it works, and exactly what code patterns prevent it. Written for builders, not security specialists.
What you'll learn
Course outline
Free — no account needed
Why Builders Need to Care About Security
The attacks that hit real products — and why "I'm too small to be targeted" is wrong
The OWASP Top 10 — The Vulnerabilities That Win
A guided tour of the 10 most exploited web application security risks
SQL Injection — How It Works and How to Stop It
The oldest web vulnerability is still the most exploited — here is why and what prevents it
Full course — $59 one-time
Cross-Site Scripting (XSS) — Input Validation and Output Encoding
How attackers inject JavaScript into your pages — and the output encoding that stops it
Authentication Vulnerabilities
Brute force, credential stuffing, weak session tokens — and the patterns that prevent them
CSRF and API Security
Cross-Site Request Forgery, CORS misconfigurations, and securing your API endpoints
Secrets Management — Environment Variables Done Right
API keys, database credentials, and JWT secrets — the patterns that keep them out of your code
Security Checklist Before Launch
The 20 checks that cover 90% of common vulnerabilities before your first real user
Get the full course
8 lessons — from the attacker's mindset to the pre-launch security checklist.
About this course
Web security is not optional for anyone shipping software — it is a baseline competency that protects your users, your business, and your reputation. This web security course for developers covers the vulnerabilities that attackers actually exploit: SQL injection, cross-site scripting (XSS), broken authentication, insecure direct object references, CSRF, and the complete OWASP Top 10. You will learn to identify vulnerabilities in code, write defences correctly, and build security thinking into your development process from the start.
Security mistakes are expensive: data breaches, regulatory fines, and reputation damage cost far more than building security in from the beginning. After this course you will be able to audit your own code for common vulnerabilities, write SQL queries that prevent injection, sanitise and escape user input correctly, implement authentication with security best practices, and conduct a basic security review of a web application.
Frequently asked questions
What is SQL injection and how do I prevent it?
SQL injection is an attack where malicious SQL code is inserted into a query via user input. For example, a login form that puts user-supplied input directly into a SQL query can be bypassed by submitting `' OR 1=1 --`. Prevention: always use parameterised queries (prepared statements) rather than string concatenation to build SQL queries. Modern ORMs like Prisma and Drizzle parameterise queries by default. Never build SQL queries by concatenating user input.
What is XSS and how do I prevent it?
Cross-site scripting (XSS) is an attack where malicious JavaScript is injected into a web page and executed in other users' browsers. Stored XSS (malicious script saved in a database and served to all users) is the most dangerous variant. Prevention: escape all user-generated content before rendering it in HTML, use a framework that escapes by default (React does this), set a Content Security Policy header, and never use `dangerouslySetInnerHTML` with user content.
What is the OWASP Top 10?
The OWASP Top 10 is a regularly updated list of the most critical web application security risks, published by the Open Web Application Security Project. The most recent list covers: broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity failures, logging failures, and SSRF. Securing against these ten categories covers the vast majority of real-world attack vectors.
How do I store passwords securely?
Never store passwords in plaintext. Always hash passwords using a purpose-built password hashing algorithm: bcrypt, Argon2, or scrypt. These algorithms are intentionally slow to compute, making brute-force attacks expensive. Never use general-purpose hash functions (MD5, SHA-1, SHA-256) for passwords — they are too fast and easily brute-forced with modern GPUs. Use a library rather than implementing hashing yourself.
What are the most important security headers to add?
Critical HTTP security headers: Content-Security-Policy (controls what resources can load), X-Content-Type-Options: nosniff (prevents MIME sniffing), X-Frame-Options: DENY (prevents clickjacking), Strict-Transport-Security (forces HTTPS), and Referrer-Policy (controls referrer information leakage). These can be set at the web server, CDN (Vercel, Cloudflare), or application level. Next.js supports configuring security headers in next.config.js.