Understand how the web is attacked and defended — the browser security model, cross-site attacks like XSS and CSRF, SSRF and IDOR, security headers such as CSP, modern authentication with passkeys, and threat modeling. Built from MDN's web security documentation and made to stick with spaced repetition.
Web security is the practice of protecting websites and their users from attack — understanding how a browser isolates one origin from another, how attackers get around those defenses, and which headers, policies and authentication mechanisms close the gaps. This track is built from MDN's web security documentation, the freshly rewritten reference that maps each attack to the defenses that stop it.
The deck follows the structure of the field itself. The browser security model covers origins, the same-origin policy, secure contexts and subresource integrity. Cross-site attacks covers XSS, CSRF, clickjacking, XS-Leaks and prototype pollution, while server and ecosystem attacks covers phishing, manipulator-in-the-middle, SSRF, IDOR, subdomain takeover and supply chain. Security headers and policies covers CSP, CORP, referrer policy, cookie attributes and MIME sniffing.
The final modules move from mechanism to practice. Authentication covers password storage, passkeys, one-time passwords, federated identity and session management; threat modeling covers assets, trust boundaries, STRIDE and risk response; and a set of applied practical scenarios asks you to diagnose a real incident and pick the fix. Spaced repetition turns a reference you skim once into judgement you apply in every review.
Each module is a set of flashcards — 108 in total. Answer, review, and watch your knowledge grow from seed to full bloom.
Origins, same-origin policy, secure contexts, and integrity
15 cardsXSS, CSRF, clickjacking, XS-Leaks, and prototype pollution
15 cardsPhishing, MITM, SSRF, IDOR, subdomain takeover, supply chain
15 cardsCSP, CORP, Referrer-Policy, nosniff, cookies, and robots.txt
15 cardsPasswords, passkeys, OTP, federated identity, and sessions
15 cardsAssets, trust boundaries, STRIDE, and risk response
15 cardsApplied web-security scenarios and how to respond
18 cardsA taste of the real flashcards. Pick an answer, then reveal the explanation.
What does the same-origin policy primarily restrict?
How does a cross-site request forgery (CSRF) attack work?
Why can a passkey not be used on a phishing look-alike domain?
What are the four key questions of threat modeling?
Each card is one practical concept with multiple options. Pick what you think is right.
See the correct option plus a clear explanation, and a link to deeper docs when one is available.
A spaced-repetition engine (SM-2 or FSRS) resurfaces each card just before you would forget it.
Every attack is paired with what actually stops it — XSS with output encoding and CSP, CSRF with tokens and SameSite, clickjacking with frame-ancestors.
Drawn from Mozilla's newly rewritten web security docs, with every card linking to the exact MDN page for deeper reading.
Passkeys, TOTP and federated identity — the phishing-resistant mechanisms replacing passwords, explained from first principles.
Know why each answer is right and why the plausible alternatives are wrong — the judgement a real security review needs.
Web developers, frontend and backend engineers, and anyone preparing for an appsec interview who wants to understand how the web is attacked and defended. It starts each topic from fundamentals but goes deep enough to be useful in real reviews.
Secure Coding takes the developer checklist angle across any stack. Web Security takes the browser-and-web angle from MDN — the same-origin policy, security headers, cross-site attacks and modern web authentication. They complement each other.
The questions are built from MDN's web security documentation, covering attacks, defenses, authentication and threat modeling. Each card links to the corresponding MDN page.
Yes, completely free. No registration or credit card is required, and all your progress is stored locally in your browser.
Plant your first seed today. Ten minutes a day builds the security instincts you'll reach for in every pull request.