Ransomware, viruses, distributed denial-of-service (DDoS) attacks, man-in-the-middle attacks, security breaches, and the like all bring to mind the one thing that anyone involved in managing applications hates—nightmares. It gets to the point where anyone who does anything to affect the security of an application or its associated data becomes gun shy—conservative to the point of absurdity. You don’t actually want the responsibility for securing the application—it just comes with the territory.

Adding to your burden, the disastrous results of any sort of mistake could haunt you for the rest of your life. Unlike most mistakes, you likely won’t sweep this one under the carpet either, because it’ll appear in the trade press where everyone can see it. Even if your name doesn’t become synonymous with security failure, there are always the ramifications of a security issue—legal woes, loss of job, and so on. So, how do you deal with this issue?

Hiding your head in the sand doesn’t appear to provide a solution—at least, not for very long. Security for Web Developers isn’t intended to tell you about every threat out there or resolve every security woe you’ll ever encounter. Instead, it provides you with guidelines and tools you need to resolve any security issue on your own—to be able to see a light at the end of the tunnel that doesn’t have something to do with a train. What this book is really about is being able to get a good night’s sleep knowing that you have what you need to get the job done right.

About This Book

Security for Web Developers provides you with the resources you need to work through web application security problems. Yes, you also see some information about platforms, because browsers run on specific platforms. In addition, you might see some of these security issues when working with desktop applications simply because the security landscape occupies both application domains. However, this book focuses on security for web applications, no matter where those applications run. You can find information on everything from the latest smartphone to an older desktop, and everything in-between. The book breaks the information into the following parts, each of which takes you another step along the path to creating a better security plan for your organization:

Part I
Nothing works well without planning. However, some of the worst disasters in the computer industry occurred due to a bad plan, rather than no planning at all. This part of the book helps you create a good security plan for your organization—one that considers all the latest user devices and user needs as part of the picture. This part of the book also discusses the need for third-party support, because let’s face it: the complex security environment really does make it hard to create a secure environment alone. The materials help you locate the right sort of third-party help and ensure you actually get the value you need from it.
Part II
Creating applications today means relying on third-party code found in libraries, APIs, and microservices. This part of the book helps you consider coding issues. You won’t find bits and bytes for the most part, but instead find helpful tips for incorporating these elements into your application successfully. This part of the book helps you manage your applications, rather than allowing them to manage you.
Part III
You have a number of ways to test applications and a number of means to do it. For example, you can create your own test suites or you could rely on one produced by someone else. A third party could do the testing for you. Perhaps you want to know how best to combine different strategies to ensure you have your entire application covered. This part of the book answers all your questions about modern testing strategies and details what you can do to make your efforts more efficient.
Part IV
At some point, your application is in production and running smoothly. Some applications continue to run for years this way without getting the proper maintenance. Unfortunately, modern application development means performing updates regularly because the hackers are constantly creating new strategies for accessing your system. Adding to this mess are all the updates to those third-party libraries, APIs, and microservices that you use. This part of the book provides you a map through the update maze and makes it possible to keep everything running smoothly without losing your mind first.
Part V
Security threats constantly evolve, which means that you need some means to keep updated. One method is to track security threats. Of course, if you track every threat, you never get anything done. This part of the book describes techniques you can use to avoid information overflow. The second technique is to obtain additional training. In fact, your entire organization needs training of some sort to keep abreast of current security issues and techniques for dealing with them. This part of the book also discusses training requirements in a way that every organization can use—even if you’re a one-person business or a recent startup.

What You Need to Know

The readers of this book could have any of a number of titles, such as web designer, frontend developer, UI designer, UX designer, interaction designer, art director, content strategist, dev ops, product manager, SEO specialist, data scientist, software engineer, or computer scientist. What you all have in common is a need to create web applications of some sort that are safe for users to interact with in a meaningful way. You’re all professionals who have created web applications before. What you may really need is to brush up on your security skills given the new climate of major application intrusions through nontraditional means, such as contaminating third-party APIs and libraries.

Security for Web Developers provides you with an end-to-end treatment of security, but it doesn’t provide a lot of handholding. This book assumes that you want the latest information on how to thwart security threats at several levels, including a reading of precisely which categories those threats occupy, and how hackers use them to thwart your security measures.

The book does include a few security programming examples. In order to use these examples, you need to have a good knowledge of CSS3, HTML5, and JavaScript programming techniques. However, if you don’t possess these skills, you can skip the programming examples and still obtain a considerable amount of information from the book. The programming examples provide details that only programmers will really care about.

Beyond the programming skills, it’s more important that you have some level of security training already. For example, if you don’t have any idea of what a man-in-the-middle attack is, you really need to read a more basic book first. This book obviously doesn’t assume you’re an expert who knows everything about man-in-the-middle attacks, but it does assume you’ve encountered the term before.

Development Environment Considerations

All you need to use the programming examples in this book is a text editor and browser. The text editor must output pure text, without any sort of formatting. It must also allow you to save the files using the correct file extensions for the example file (.html, .css, and .js). The various book editors, beta readers, and I tested the examples using the most popular browsers on the Linux, Mac, and Windows platforms. In fact, the examples were even tested using the Edge browser for Windows 10.

Icons Used in This Book

Icons provide emphasis of various sorts. This book uses a minimum of icons, but you need to know about each of them:


A note provides emphasis for important content that is slightly off-topic or perhaps of a nature where it would disrupt the normal flow of the text in the chapter. You need to read the notes because they usually provide pointers to additional information required to perform security tasks well. Notes also make it easier to find the important content you remember is in a certain location, but would have a hard time finding otherwise.


A warning contains information you must know about or you could suffer some dire fate. As with a note, the warning provides emphasis for special text, but this text tells you about potential issues that could cause you significant problems at some point. If you get nothing else out of a chapter, make sure you commit the meaning behind warnings to memory so that you can avoid costly errors later.

Conventions Used in This Book

The following typographical conventions are used in this book:


Indicates new terms, URLs, email addresses, filenames, and file extensions.

Constant width

Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords.

Constant width bold

Shows commands or other text that should be typed literally by the user.

Constant width italic

Shows text that should be replaced with user-supplied values or by values determined by context.

Some of the text in this book receives special treatment. Here are a few of the conventions you need to know about:

Source code appears in special paragraphs in most cases to
make it easier to read and use.

Sometimes, you see source code in a regular paragraph. The special formatting makes it easier to see.

URLs, such as, appear in a special font to make them easier to find. This book uses many URLs so that you can find a lot of related information without having to search for it yourself.

Where to Get More Information

I want to be sure you have the best reading experience possible. Please be sure to send any book-specific questions you might have to You can also check out the blog posts for this book at The blog posts provide you with additional content and answer questions that readers commonly ask. If there are errata in the book, you can find the fixes on the blog as well.

Using Code Examples

Supplemental material (code examples, exercises, etc.) is available for download at

This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Security for Web Developers by John Paul Mueller (O’Reilly). Copyright 2016 John Paul Mueller, 978-1-49192-864-6.”

If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at .

Safari® Books Online


Safari Books Online is an on-demand digital library that delivers expert content in both book and video form from the world’s leading authors in technology and business.

Technology professionals, software developers, web designers, and business and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training.

Safari Books Online offers a range of plans and pricing for enterprise, government, education, and individuals.

Members have access to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like O’Reilly Media, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, Course Technology, and hundreds more. For more information about Safari Books Online, please visit us online.

How to Contact Us

Please address comments and questions concerning this book to the publisher:

  • O’Reilly Media, Inc.
  • 1005 Gravenstein Highway North
  • Sebastopol, CA 95472
  • 800-998-9938 (in the United States or Canada)
  • 707-829-0515 (international or local)
  • 707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at

To comment or ask technical questions about this book, send email to .

For more information about our books, courses, conferences, and news, see our website at

Find us on Facebook:

Follow us on Twitter:

Watch us on YouTube:


Thanks to my wife, Rebecca. Although she is gone now, her spirit is in every book I write, in every word that appears on the page. She believed in me when no one else would.

Russ Mullen, Billy Rios, and Wade Woolwine deserve thanks for their technical edit of this book. All three technical editors greatly added to the accuracy and depth of the material you see here. In many cases, I was able to bounce ideas off them and ask for their help in researching essential book topics.

Matt Wagner, my agent, deserves credit for helping me get the contract in the first place and taking care of all the details that most authors don’t really consider. I always appreciate his assistance. It’s good to know that someone wants to help.

A number of people read all or part of this book to help me refine the approach, test scripts, and generally provide input that all readers wish they could have. These unpaid volunteers helped in ways too numerous to mention here. I especially appreciate the efforts of Eva Beattie, Glenn A. Russell, and Luca Massaron, who provided general input, read the entire book, and selflessly devoted themselves to this project.

Finally, I would like to thank Meg Foley, Nicole Shelby, Jasmine Kwityn, and the rest of the editorial and production staff.

Get Security for Web Developers now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.