Web Security
This is a hands-on course that covers the most common web application vulnerabilities, their exploitation and mitigation techniques. Every lecture includes homework, typically involving exploiting and fixing vulnerabilities. Students are expected to have basic skills in web application development (HTML, JavaScript and PHP).
About the course
Content
The course covers web architecture, HTTP/HTTPS, browser security policies, and major web vulnerabilities such as XSS, CSRF, and SQL injection. It also addresses secure authentication, access control, tracking and fingerprinting, UI attacks, browser extensions, bot detection, and server-side flaws. Practical defence strategies are discussed throughout.
Learning outcomes
Upon successful completion of the course, students will be able to:
- Identify, exploit, and mitigate common web vulnerabilities (XSS, CSRF, SQLi).
- Understand key web security concepts and protocols (HTTP, cookies, SOP, CSP).
- Apply security best practices in authentication, authorization, and session management.
- Analyze browser behaviors, tracking methods, and server-side vulnerabilities.
- Use developer and security tools to evaluate and improve web application security.
Programme
Topics to be covered:
- Web, HTTP protocol, HTTPS, Cookies
- Same-Origin Policy (SOP)
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Content Security Policy (CSP)
- User Interface (UI) attacks
- Tracking and fingerprinting
- Browser extensions
- Bots and CAPTCHAs
- Authentication and session management
- Authorization
- SQL Injection (SQLi)
- Server-side vulnerabilities
- Server-side vulnerabilities 2
- Attack detection and prevention
Teaching methods
The course is 100% web-based and can be completed asynchronously. The course consists of pre-recorded online lectures and homework tasks. The list of independent work will be given in the lectures.
The use of AI tools for assignments is prohibited.
Assessment method(s)
Grade system: differentiated (A, B, C, D, E, F, not present)
Final grade consists of homework (70%) and test (30%). The test is optional and cannot be retaken.
Lecturers
Arnis Paršovs
Course dates
This course takes place in the first semester of the academic year 2026-2027. It starts in the first week of September and runs until mid-December.
This is 100% self-learning course with weekly homework deadlines. Info on course schedule is available HERE. ENLIGHT students will be able to take the test remotely via Internet in December (exact time to be specified).
How to apply?
Entry requirements: basic skills in web application development (HTML, JavaScript and PHP)
For application, please use this form. Apply by January 26, 2026.
Students from all ENLIGHT partner universities and from all disciplines are eligible to participate. For application, please use this form. Apply by August 17, 2026. The University of Tartu will select the permitted number of students and inform the admitted students as soon as possible.
Before applying, students should check with their home faculty or programme whether the course can be included in their curriculum and whether the credits will be recognised. Students from Ghent University must obtain faculty approval by completing this form and having it signed by the Faculty Student Administration.
Contact your ENLIGHT coordinator for further information on the application process or consult the linked information:
- University of the Basque Country:
This email address is being protected from spambots. You need JavaScript enabled to view it. - University of Bern:
This email address is being protected from spambots. You need JavaScript enabled to view it. , see application instructions for students at the University of Bern - University of Bordeaux:
This email address is being protected from spambots. You need JavaScript enabled to view it. - Comenius University Bratislava:
This email address is being protected from spambots. You need JavaScript enabled to view it. - University of Galway:
This email address is being protected from spambots. You need JavaScript enabled to view it. - Ghent University:
This email address is being protected from spambots. You need JavaScript enabled to view it. , see information about BIP's and virtual courses - University of Groningen:
This email address is being protected from spambots. You need JavaScript enabled to view it. - University of Göttingen:
This email address is being protected from spambots. You need JavaScript enabled to view it. (for BIP’s) orThis email address is being protected from spambots. You need JavaScript enabled to view it. (other courses) - Uppsala University:
This email address is being protected from spambots. You need JavaScript enabled to view it. , see application instructions for students at Uppsala University
Contact
Arnis Paršovs -