Security is extremely important when developing for the Web.
And unfortunately, it's often overlooked when building frontend developer skillset.
This article gives a learning path and links to some great materials to build or refresh your Web security knowledge.
The Basics of Web Application Security by Martin Fowler
Great long-read giving an overview of risk areas in a Web application and guidance for how to mitigate them.
Perfect starting point or knowledge gap filler – you can dig deeper into each of the topics using the links provided and googling the threats mentioned.
OWASP Top Ten and Cheat Sheets
OWASP Top Ten threats are affecting all layers of Web apps, not only the frontend.
It's good to know and monitor the Top Ten, but the following cheat sheets are must-read and must-remember for a Frontend developer:
- HTML5 Security
- XSS Prevention
- DOM based XSS Prevention
- XSS Filter Evasion (reference for XSS mitigation testing)
- CSRF Prevention
- CSP
- Secure Headers Project
Kontra OWASP Top Ten Training
Interactive trainings for the common Web vulnerabilities based on real-world cases. The format is perfect for understanding how the attacks can be carried out against your app.
Note: There's a paywall appearing after passing a couple of trainings. You'll need to make a post on LinkedIn to get free access to the rest of the trainings.
Web Application Security Course – Mike North (FrontendMasters)💸
Practical guide using example NodeJS app to show common vulnerabilities and their fixes. You'll get most out of the practical part if you use NodeJS and render server-side. The tech stack of the example is a bit old, but the vulnerabilities shown are still relevant.
There's also his talk on Web Security available on YouTube, it touches the topics from the course, but without the practical part.
React Security Fundamentals
Project-based tutorial showing you how to build a secure Web application featuring Authorization and Role Based Access Control. Most useful if you're building a React app and NodeJS API and need some directions on how to organize it.
Conclusion
There's a lot of vulnerabilities and information on them on the Web and it's easy to get lost figuring out how to mitigate the risks in your application.
I hope this article makes it a bit easier to build the knowledge necessary to protect your users.
Suggestions for other materials are most welcome.