Domain
Web Security & Authentication
A learning path to study web security systematically on framework-independent first principles — from how HTTP works and the foundations of web vulnerabilities, through cryptography and authentication/authorization protocols, secure-by-design thinking, and threat modeling, to vulnerability assessment from an attacker's perspective.
The Terrain of This Field
The terrain of web security can be read as a chain of defenses that begins at a shoreline battered by the waves of attack. The water's edge is the "foundations of web vulnerabilities": on top of HTTP, learning why injection and XSS arise — their mechanisms and root remedies — is the trailhead of all defense.
Moving inland, you reach the gatehouse of "authentication and authorization." How do you verify identity and delegate privileges over stateless HTTP? Cryptography holds the key, and protocols like OAuth, OIDC, and passkeys give shape to trust.
Deeper still rises the high ground of "defending by design": beyond reactive validation, the philosophy of building structures where vulnerabilities cannot enter, and systematic defense through threat modeling. At the outermost ring stands the watchtower of "offense and assessment" — to defend, you must know how the attacker thinks. The axis running through this field is a consistent stance: defend in depth, from first principles, not by ad hoc patching.
Share this map
Grouping
Difficulty
Difficulty
Dependencies
Computing layout...
Books in this domain
12 books暗号技術入門 第3版
秘密の国のアリス
結城浩
セキュアなソフトウェアの設計と開発
脅威モデリングに基づく普遍的アプローチ
Loren Kohnfelder
実践理解!Webアプリケーション セキュリティ
Malcolm McDonald
ハッキングAPI
Web APIを攻撃から守るためのテスト技法
Corey Ball
OAuth徹底入門
セキュアな認可システムを適用するための原則と実践
Justin Richer、Antonio Sanso
OpenID Connect入門
アプリケーション開発者のための実践技術解説
土岐孝平
パスキーのすべて
導入・UX設計・実装
えーじ、倉林雅、小岩井航介
Real World HTTP 第3版
歴史とコードに学ぶインターネットとウェブ技術
渋川よしき
セキュア・バイ・デザイン
安全なソフトウェア設計
Dan Bergh Johnsson、Daniel Deogun、Daniel Sawano
体系的に学ぶ 安全なWebアプリケーションの作り方 第2版
脆弱性が生まれる原理と対策の実践
徳丸浩
Webセキュリティ担当者のための脆弱性診断スタートガイド 第2版
上野宣が教える新しい情報漏えいを防ぐ技術
上野宣
ホワイトハッカー入門 第2版
阿部ひろき
Dependencies
Reason: Authentication, sessions, and cookies all sit on top of HTTP. Grasping HTTP's behavior from first principles first lets you understand structurally where in the protocol the vulnerabilities in Tokumaru's book actually arise.
Reason: Once Tokumaru's book has cemented the principles and root fixes, reinforce them with a modern, cross-layer view from browser to server. Widening the scope to supply chain and incident response raises the resolution of your defense.
Reason: After grasping the overall picture of vulnerability defense, descend to the cryptographic foundation that much of it relies on. Understanding the logic of hashing, signatures, and public-key crypto lets you treat TLS and token verification as principles rather than magic.
Reason: Only with a foundation in signatures and public-key cryptography can you correctly understand token-based authorization. OAuth 2.0 is the de facto standard for delegating privileges; learn its grant types and flows from first principles.
Reason: OAuth 2.0 is fundamentally an authorization protocol, and misusing it for pseudo-authentication breeds vulnerabilities. Advancing to OIDC, which standardizes identity verification, clarifies how to build correct authentication, including ID token validation.
Reason: Passkeys apply public-key cryptography to authentication. Reading this after the crypto basics makes it click why no password is stored on the server and why phishing resistance emerges — down to verifying the challenge signature.
Reason: Once you can implement authentication and authorization as a system, lift your perspective a level. Secure by Design goes beyond reactive input validation and escaping, offering a way to build structures where invalid data cannot enter at the design stage.
Reason: After grasping a robust, type-based design philosophy, advance to embedding it into the development process. STRIDE-based threat modeling systematically surfaces attack surfaces and trust boundaries, giving design reviews their backbone.
Reason: Once the principles of defense are solid, adopt the attacker's view. Learning API vulnerabilities (BOLA/IDOR, etc.) — now the main battleground for SPAs and microservices — from the offensive side lets you work backward to robust API design.
Reason: After learning the principles of vulnerabilities, verify them with your own hands. Dynamic analysis with OWASP ZAP and Burp Suite lets you feel how attacks you knew only in theory actually succeed in real traffic, closing the gap between theory and practice.
Reason: Once threat modeling has surfaced 'where the risks lie' at design time, confirm those assumptions through hands-on assessment. Matching design-level threats against actual behavior validates the effectiveness of your defenses.
Reason: Once you hold the principles of web defense, widen your scope to attacks across networks and servers. Knowing the attacker's thought process brings insights for active defense that are not confined to the web app alone.