WASEC: Web Application Security for the everyday software engineer
WASEC: Web Application Security for the everyday software engineer
Everything a web developer should know about application security: concise, condensed and made to last.
About the Book
As software engineers, we often think of security as an afterthought: build it, then fix it later.
Truth is, knowing a few simple browser features can save you countless of hours banging your head against a security vulnerability reported by a user. This book is a solid read that aims to save you days learning about security fundamentals for Web applications, and provide you a concise and condensed idea of everything you should be aware of when developing on the Web from a security standpoint.
Don't understand prepared statements very well? Can't think of a good way to make sure that if your CDN gets compromised your users aren't affected? Still adding CSRF tokens to every form around? Then this book will definitely help you get a better understanding of how to build strong, secure Web applications made to last.
Security is often an afterthought because we don't understand how simple measures can improve our application's defense by multiple orders of magnitude, so let's learn it together.
Table of contents
- Understanding the browser
- Protection through HTTP headers
- HTTP cookies
- DDoS attacks
- Bug Bounty Programs
- Final words
- Docker security
- Kubernetes security
- Penetration tests
- Secret management
- Leveraging other services
Awesome work. Really enjoyed reading. Quality is excellent, I have to say. This should be turned into a 3-days course like the ones in BlackHat.
Senior Security Lead & Technical Security Manager
It's really thorough, especially for software engineers -- really a great work and a gem to read. There are security concepts that normally would be hard for software engineers to jump into or understand, but you made a lot of them simple and easier to understand.
- Who this book is for
- Errata and additional content
Understanding the browser
- What does a browser do?
- Vendor or standard bug?
- A browser for developers
- Into the HTTP protocol
- Mechanics: HTTP vs HTTPS vs H2
- HTTPS everywhere
- GET vs POST
- In HTTP headers we trust
Protection through HTTP headers
- Feature policy
- The reporting API
- Testing your security posture
- Stateful HTTP: managing sessions with cookies
- What’s behind a cookie?
- Session and persistent cookies
- Cookie flags that matter
- What would LeBron do?
- Blacklisting versus whitelisting
- Logging secrets
- Never trust the client
- Generating session IDs
- Querying your database while avoiding SQL injections
- Dependencies with known vulnerabilities
- Have I been pwned?
- Session invalidation in a stateless architecture
- My CDN was compromised!
- The slow death of EV certificates
- Paranoid mode: on
- Low-priority and delegated domains
- Hold the door
- Anatomy of a DDoS
- Why would anyone bomb me?
- Notable DDoS attacks
- Don’t panic: some services to the rescue!
- Hackers welcome
Bug Bounty Programs
- What’s in a program?
- Dealing with researchers
- “Malicious” reporters
- We’re about to wrap it up
This is the end
- Forget safe. Make it safer.
- In the works
- A few thank yous
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Ansible for KubernetesJeff Geerling
Ansible is a powerful infrastructure automation tool. Kubernetes is a powerful application deployment platform. Learn how to use these tools to automate massively-scalable, highly-available infrastructure.
Practical FP in Scala: A hands-on approachGabriel Volpe
A practical book aimed for those familiar with functional programming in Scala who are yet not confident about architecting an application from scratch.
Together, we will develop a purely functional application using the best libraries in the Cats ecosystem, while learning about design patterns and best practices.
Functional Design and ArchitectureAlexander Granin
Software Design in Functional Programming, Design Patterns and Practices, Methodologies and Application Architectures. How to build real software in Haskell with less efforts and low risks. The first complete source of knowledge.
Production HaskellMatt Parsons
Are you excited about Haskell, but don't know where to begin? Are you thrilled by the technical advantages, but worried about the unknown pitfalls? This book has you covered.
Tame your Work FlowSteve Tendon and Daniel Doiron
Do you need a high performance enterprise governance approach improving management, execution and delivery while dealing with multiple projects/products, events, stakeholders and teams? Giving you better bottom line results, faster time to market, less work, better predictability, happier employees, and delighted clients? Then learn about TameFlow!
Ansible for DevOpsJeff Geerling
Ansible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
Machine Learning EngineeringAndriy Burkov
"If you intend to use machine learning to solve business problems at scale, I'm delighted you got your hands on this book."
—Cassie Kozyrkov, Chief Decision Scientist at Google
"Foundational work about the reality of building machine learning models in production."
—Karolis Urbonas, Head of Machine Learning and Science at Amazon
C++ Best PracticesJason Turner
Level up your C++, get the tools working for you, eliminate common problems, and move on to more exciting things!
Composing SoftwareEric Elliott
All software design is composition: the act of breaking complex problems down into smaller problems and composing those solutions. Most developers have a limited understanding of compositional techniques. It's time for that to change.
El Manual del ManagerKeyvan Akbary, Félix López, and Álvaro Salazar
¿Has deseado alguna vez el haber tenido una buena introducción al rol del Engineering Manager? En este libro aprenderás lo necesario para ejercer el rol de una manera efectiva: Expectativas y Responsabilidades del Rol, 1-1s, Ayudar a Crecer, Objetivos, Planes de Carrera, Cultura, Feedback, Contratación, Cultura de Producto y mucho más.
The Tester's Library
8 BooksThe Tester's Library consists of eight five-star books that every software tester should read and re-read. As bound books, this collection would cost over $200. Even as e-books, their price would exceed $80, but in this bundle, their cost is only $49.99. Here are the books, and why they should be in your library: Perfect Software and Other...
11 BooksIn this bundle, you will find 10 different agile books. They are about different aspects of being agile. - finding a job - doing coding dojo's - Retrospectives - Personal kanban - a non-typical coaching book and even a book that gives you an insight in the lives of some agile people.
WTFlop 6M + HU - Beta Bundle
Marionette.js A to Z
Build A Better Backbone App
3 BooksThe best way to learn new development skills is through experience, but that takes time you don't have.Get the best of both worlds with this bundle: you'll learn how to produce modern web applications by learning from experienced developers like Derick Bailey and David Sulc. BackboneJS is one of the favorite tools on the web today, but it...
General Systems Thinker Bundle
5 BooksThe General Systems Thinker Bundle is just that: a bundle of five books to advance the reader one giant step toward improved thinking, based on General Systems principles. Four of the books are the complete General Systems Series. The fifth is fictional piece which shows some general systems thinkers in action. It's a mystery in which a group of...
Experiential Learning Bundle
4 BooksThis bundle provides all four volumes of the popular Experiential Learning Series at a savings of $20 over the price if purchased separately.
2 BooksAfter getting up and running with Ansible in Jeff Geerling's Ansible for DevOps, strengthen your skills managing tens to thousands of instances and services in Amazon's AWS cloud with Yan Kurniawan's Ansible for AWS.
Learn ECMAScript 6 inside and out
2 BooksFor any technology, it helps to get multiple points of view on the functionality to get the best possible understanding. For ECMAScript 6/2015, no two resources are recommended more frequently thanExploring ES6by Dr. Axel Rauschmayer andUnderstanding ECMAScript 6by Nicholas C. Zakas. These two points of view, investigating the specification and...
Software architecture, for systems old and new
2 BooksThis bundle includes books about hands-on software architecture.