Topics
This is a master list of topics relevant to this class. We definitely won’t get to all of them, and we definitely won’t cover them in order; this is mostly for my own mental collection of what topics can and should be covered in a class like this. XR is my shorthand for “cross reference” - means a different element in the outline is also relevant to this topic.
-
The web platform
-
Browser-side
High level goals are to teach enough to understand the web broadly, from an engineering and computer science based perspective - this will touch on a lot of networking topics as they relate to the web.
- Components of a browser
- DOM/CSSOM/JS
- HTTP the protocol & Cookies for stateful requests
- HTTPS the protocol
- Aside: DNS
- Symmetric & Asymmetric crypto
- TLS, certificate authorities, HSTS, HPKP
- Advanced topics
- Misc
- Plugins & Extensions
- Browser auto-updating XR novices and experts
- Features exposed through JavaScript
- Local storage
- Long polling, SSE, WS, WebRTC
- Service Workers
- PWAs, Electron Apps?
- Laundry list of capabilities, XR web feature security WebAudio, WebUSB, WebBluetooth, accelerometer & gyroscope…
- PostMessage & iframes, XR clickjacking, XR SOP
- Components of a browser
-
Server-side
High level intention is that the first few assignments will progressively build up to a MEVN/MERN stack web app. What do students need to know when to get to that level?
- Request routing and middleware
- Express middleware
- Front end servers / tls termination / load balancers
- CDNs
- Templating XR XSS
- Session management
- Backing store: data models, ORM, options for deploying and connecting to a database
- Request routing and middleware
-
Deployment-side (software engineering stuff)
Organized loosely on the 12-factor model
- MVC
- Both on the server side as well as client side, MVVM (react/angular/vue)
- Deployment
- VMs vs containers vs bare metal isolation
- Serverless
- Infrastructure as Code: Terraform, Ansible, etc
- Babel, WebPack, CDNs XR CSP
- Where and how to keep secrets
-
APIs
- REST, gRPC, SOAP-XML
-
Webhooks
TLDR a webhook is an app that gets called by a 3rd party service rather than a user’s web browser so that its functionality can be included in that 3rd party service
- Distributed Systems
- Chaos Monkey
- Storing configuration / secrets in etcd
- Kubernetes
- Logging/Telemetry
- Centralized logging
- Telemetry how it differs from logging
- Canary rollouts
- Performance testing / tuning
- Basics of whole stack performance
- serve static resources directly
- Run it all through a CDN, XR cert delegation
- Monkey testing / Gremlins
- Load testing
- https://k6.io/docs/
- Application profiling
- In-browser test like Google Lighthouse
- Basics of whole stack performance
- Optimization/Monetization
- XR Qualys test
- Analytics / AB testing
- SEO
- How ads work
- Back up: do you even need a webapp?
- Static site generators
- WordPress vs. webapp
- Other frameworks and what they’re good for
- MVC
-
-
Security Organized loosely around the OWASP top 10, with an emphasis on socio-technical aspects as well as research results
- Fundamentals
- Threat modeling
- Adversarial mindset
- Principle of least privilege
- Isolation (SOP)
- OWASP top 10
- XSS
- DOM-based XSS, XR DOM
- CSRF CSRF Tokens, SameSite cookies
- SQLi SQLi in NoSQL environments
- Security Misconfiguration
- TLS misconfiguration, Qualys test
- Lockdown information - least privilege
- No version strings
- No .maps on prod
- No stack dumps
- Low-tech broken access control
- “google whacking,” oldie but goodie toolkit
- Attack hardening
- What is DoS/DDoS
- resource exhaustion fundamentals
- Syn flood
- Full http
- SlowLoris
- ReDoS
- Fail2ban
- Captchas, recaptcha, recaptcha v3, XR privacy
- What is DoS/DDoS
- XSS
- Privacy
- Fingerprinting * Tracking
- Panopticlick
- Cookieless Monster
- Safari ITP, 3rd party cookie blocking
- Fingerprinting * Tracking
- Security
- CSP
- Least privilege WRT browser capabilities
- Cost-benefit feature analysis
- Clickjacking / framebusting
- OAUTH / SSO / API security
- JWT and why / why not
- SSOff
- Security at scale
- Google Safe Browsing How it scales, how it maintains (or doesn’t?) query privacy
- Private telemetry, RAPPOR
- Certificate Transparency (and HPKP)
- Centralized App stores
- Usable security
- Perceptual attacks: clickjacking, phishing, typosquatting…
- Passwords: requirements, strength, adherence
- Two factor authentication
- SMS/TOTP/U2F/webAuthNHow TOTP works, vulnerabilities of SMS 2fa, How U2F works
- APF green lock adherence
- Developer usability
- Certificate verification
- Cipher suite selection (XR JWT)
- Misc?
- Blackhat SEO
- Fundamentals