The business risks and costs once an intrusion occurs are very large, and we developers have the responsibility to plan ahead and prevent this. Therefore, it is important that we have a good foundation to stand on when it comes to safety and risks. 

Life on the Internet is not so harmonious. Unfortunately, you are exposed around the clock to an army of enemies, some people, some robots, with darker targets. Can be to either cause loss of information or reputation, use your resources for personal gain or attack your user base.

• The reality
• What might an attacker want?
• Social Engineering

HTTPS

• What's wrong with HTTP?
• Man-in-the-middle attacks
• HTTP Strict Transport Security header

Certificates

• Certificate failures
• Certificate pinning
• Lifetime
• Lets Encrypt

Encoding

• Character encoding
• Unicode
• Encoding (UTF-8, UTF-16...)

Cross Site Scripting

• Stored XSS
• Reflected XSS
• DOM Based XSS
• XSS Preventions

Content Security Policy

• Headers and directives
• CSP Reporting
• CSP Nonce
• CSP Validation

Cross site request forgery (CSRF)

• CSRF Attack
• CSRF Prevention

Securing your cookies

• Cookie security
• Same-site cookies

CORS

• Origins
• Same-Origin Policy
• Cross-Origin Resource Sharing

Injections

• SQL Injections
• Blind injection attacks
• File path injections

Authentication & Authorization

• Securing the login-form
• Securing the session
• Multi factor authentication

Denial-of-Service (DoS) attacks

• Network attacks
• Application level attacks
• XML DoS attacks
• Decompression bombs

Password management

• Secure password storage
• Hashing
• Salt and pepper
• Password spraying

Information leakage

• Error handling
• Source control leaks
• Response header leakage
• Search engine leakage

Securing our dependencies

• Supply-chain attacks
• Subresource Integrity

Hack yourself

• Hack your own systems
• Tools
• Approach