Learn A guided security curriculum — theory, secure-vs-insecure code, and a knowledge check per topic. Progress persists via Effect v4 SubscriptionRef + localStorage.
0% curriculum complete
0/16 1 Application Security Foundations beginner Start here. Learn the attacker mindset, the CIA triad, how to think about trust boundaries, and how the OWASP Top 10 organises the most common web risks. Foundations · 8 min 2 Injection & SQL Injection intermediate Injection happens when untrusted input is interpreted as code or query syntax. Learn how SQL injection works, why string concatenation is the root cause, and how parameterised queries make it impossible. Injection · 12 min 3 Input Validation & Canonicalisation intermediate Most injection and traversal bugs share a root cause: untrusted input is trusted too soon. Learn positive (allow-list) validation, canonicalisation, and why filename and path handling needs special care. Input Validation · 11 min 4 Authentication & Session Security intermediate Authentication proves who a user is. Learn how injection and weak credential handling break it, why passwords must be salted and hashed, and how to harden the login flow against takeover. Identification & Authentication · 11 min 5 Cryptographic Failures intermediate Sensitive data leaks when it is stored or transmitted without proper cryptography. Learn why you hash passwords (never encrypt them), how to pick algorithms, and where data-in-transit protection belongs. Cryptography · 12 min 6 Insecure Design intermediate Some flaws can't be patched because the design itself is unsafe. Learn the difference between a bug and a design flaw, how threat modelling surfaces risks early, and why business-logic abuse needs design-level defences. Design · 12 min 7 Cross-Site Scripting (XSS) intermediate XSS lets an attacker run JavaScript in another user's browser. Learn the three XSS types, why output encoding is the core defence, and how modern frameworks help — and where they still let you shoot yourself in the foot. Cross-Site Scripting · 12 min 8 Cross-Site Request Forgery (CSRF) intermediate CSRF tricks a logged-in user's browser into sending a state-changing request they never intended. Learn why cookies make it possible and how SameSite cookies plus anti-CSRF tokens shut it down. Session Security · 11 min 9 Broken Access Control & IDOR intermediate Broken access control is the #1 web risk. Learn how trusting client-supplied identifiers leads to IDOR, why every request must be authorised server-side, and how to enforce ownership checks. Broken Access Control · 10 min 10 Security Misconfiguration intermediate Most breaches don't need a clever exploit — just a default password, a verbose error, or an exposed admin panel. Learn the common misconfigurations and how secure-by-default settings close them. Configuration · 10 min 11 Secrets Management intermediate API keys, database passwords, and signing keys leak constantly through source code, logs, and git history. Learn where secrets belong, how to rotate them, and why 'it's in a private repo' is not protection. Configuration · 9 min 12 Vulnerable & Outdated Components intermediate Your app is only as secure as its weakest dependency. Learn how known-vulnerable packages get exploited and how SBOMs, pinning, and automated scanning keep your supply chain honest. Supply Chain · 10 min 13 Software & Data Integrity Failures advanced Integrity failures happen when code or data is trusted without verifying it wasn't tampered with — from unsigned auto-updates to insecure deserialization and poisoned CI/CD pipelines. Learn to verify before you trust. Supply Chain · 12 min 14 Security Logging & Monitoring intermediate If you can't see an attack, you can't stop it. Learn what security events to log, how to avoid logging secrets, and why alerting and an incident response plan turn logs into defence. Detection · 10 min 15 Server-Side Request Forgery (SSRF) advanced SSRF turns your server into a confused deputy, making requests to wherever an attacker chooses — including internal services and cloud metadata. Learn the attack and how allow-lists and network controls stop it. Server Security · 12 min 16 Defense in Depth & the Secure SDLC advanced No single control is perfect. Learn to layer defences, bake security into the development lifecycle, and use platform features — CSP, headers, dependency scanning, logging — so that one failure does not become a breach. Secure Design · 13 min