The OWASP Top 10 risks and how to write code that resists injection, XSS and broken access control.
Injection happens when untrusted input is interpreted as code. In SQL injection an attacker manipulates a query (e.g. ' OR 1=1 --). Defence: always use parameterised queries / prepared statements, never string concatenation, and validate input.
XSS injects malicious scripts into pages viewed by others, stealing sessions or defacing content. Defence: output-encode all user data for its context (HTML, attribute, JS), use a Content-Security-Policy, and prefer frameworks that auto-escape.
Broken access control tops the OWASP list. Enforce authorisation server-side on every request; never rely on hidden UI. Store passwords with a slow salted hash (bcrypt/argon2). Use secure, HttpOnly, SameSite session cookies and rotate tokens.
Harden defaults: disable directory listing, remove debug pages, keep dependencies updated. Set security headers: Content-Security-Policy, X-Content-Type-Options: nosniff, Strict-Transport-Security, and X-Frame-Options. Always serve over HTTPS.
7 tasks across 3 pages — multiple-choice and fill-in (type the answer). Score 70% or higher to earn your certificate.
🔒 Pass the quiz above (70%+) to unlock your downloadable certificate.
Congratulations! Enter your name to generate your certificate.
