New lessons: Add core "Web Security" Section (3-4 Lessons)

[blazejzj]

Checks

• This is not a duplicate of an existing issue (please have a look through our open issues list to make sure)
• I have thoroughly read and understand The Odin Project Contributing Guide
• Would you like to work on this issue?

Describe your suggestion

My Suggestion:
Add a dedicated "Web Security" (Or similiar) category with 3-4 concise lessons to for example NodeJS. This section would introduce new web developers (students) to the most critical security topics, risks, and practices they need to know when building and later maintaining web applications.

Why?

Security is absoolutely essential for every developer/SWE, but TOP curriculum currently only covers security topics sporadically. Having a focused section will perhaps:

• Raise awareness about the most common vulnerabilities and attacks (XSS, SQL Injections, CSRF, and also Social Engineering).
• Shows practical prevention strategies, and secure coding habits.
• Help students adopt a security mindset, benefiting them throughout their learning and in future job roles.

Proposed Outline:

• Lesson 1: What is Web Security (Why it matters, types of threats, etc.)
• Lesson 2: Most common vulnerabilities (code samples, XSS, SQL Injections, CSRF)
• Lesson 3: Social Engineering & Human Risks (Phishing, passwords, real stories)
• Lesson 4: Secure Practices (validating, sanitizing input, HTTPS, secrets, dependency safety)

Each lesson would be concise, perhaps include code snippets and real-world examples.
This section I believe will better prepare students for real-world development, but also help them during technical interviews, and contribute to safer web overall.

I am Very happy to help draft these lessons or collaborate on the content.

Path

Node / JS

Lesson Url

https://www.theodinproject.com/lessons/(web-security, common-vulnerabilities, social-engineering, secure-practices))

(Optional) Discord Name

opexx.

(Optional) Additional Comments

No response

[KevinMulhern]

Thanks for opening this @blazejzj. It's a pretty big proposal so I've converted it to a discussion for now. cc @TheOdinProject/maintainers - what do you guys think about adding security lessons?

I have a few questions, not just for you, but anyone that takes part in the discussion.

• Is this knowledge expected or required for a junior/entry level position?
• Where specifically would we put these in the backend courses?
• How can we give learners opportunities to practice what they learn in these lessons so they retain it?

[blazejzj]

Thank you for the chance to speak out more about this! Here are my thoughts on your questions:

1. Is this knowledge expected or required for a junior/entry level position?
   I can't claim every job requires it, but just from looking at lots of job listings around my area, and talking with other people in the field, it feels like basic security awareness is at least valued. Even if it's not always listed as a must-have skill, I think most companies would expect a junior dev to at least know about common vulnerabilities like SQL injection or XSS. That's because these things are so fundamental to web development.
   To be honest, I also just think it's a good idea for beginners to have a general idea of how to keep their projects safe, even if employers aren't always testing on it.
   Shortly said, I believe that basic knowledge of potential vulnerabilities is very valuable, and shows that students are thinking about more than just "developing" but also about "developing safely".

2. Where specifically would we put these in the backend courses?
   I personally think that security fits best after students have already built at least one backend project and have some experience with forms, authentication, and working with databases. At that point, they can really see why security is necessary, since they’ve actually handled user input and data. Placing the security section right after topics like authentication would make sense. Personally, I believe the best spot would be either after or before the ORM section. This is a natural point where vulnerabilities can happen, and where these lessons can have the most impact on students.

3. How can we give learners opportunities to practice what they learn in these lessons so they retain it?
   Hands-on practice is definitely important for this topic, especially for retaining the information. I don't think it's necessary to add a big new project or anything, since students already get some experience with things like prepared statements and authentication as they build their apps throughout the backend course. What's missing is a focus on why these tools and practices matter, what vulnerabilities they help prevent, and what other risks exist.

For these security lessons I would suggest:

• Brief targeted "code along" exercise or demonstration. Like starting with an insecure form then progressively adding validation and seeing what kinds of attacks (like unvalidated input) could happen if you skip steps.
• Real-world examples and short case studies might help. Helping students see the actual consequences of security oversights
• Maybe a few exercises of sort "spot the vulnerability"? Where students review a short code snippet and try to find the problem.
• Suggesting further resources for students who want to dig deeper into these topics.
  The point here is not to teach students how to "hack" or simulate attacks in detail. The main goal is raising awareness about common dangers and explaining the basic strategies to prevent them. This way, students learn not just the how, but also the why behind secure coding. They will definitely be better prepared to protect their projects and projects they are working on in the real world.

My final thought is that I believe adding these lessons isn't about making everyone a security expert. It's about raising awareness and building good habits from the start. Even if this is just a “light touch,” it will help students recognize risks early in their careers, which will benefit them in the long run and contribute to a safer web overall.

[mao-sz]

I cannot speak for the Rails side of things, so others will have to weigh in on that.

As far as the Node course goes, a lot of this is either already covered or has already been planned for the ongoing revamp (milestone 1 has already been released last year which covered the contents on Express Intro, MVC, DBs and ORMs. Security things covered in that contents include SQL injection, secrets via env variables and security around that, and XSS or other injection attacks in HTML via unescaped output (alongside validation/sanitisation etc.).

The current milestone being worked on involves the content on Auth and APIs. The lessons in this milestone will cover relevant security concepts like password storage and related matters, cookies and related security, JWTs and related security etc.

Essentially what you're proposing either already has sufficient content or is already being worked on for upcoming content, keeping within a sensible scope of the curriculum (i.e. it's not trying to become a comprehensive cybersecurity course which is a different scope entirely). Some other more advanced concepts, including some security-related matters, have been discussed and for now purposely left to be discussed further in a future milestone, as they are not in scope of the current work.

Regarding social engineering, I'm personally not convinced dedicated content is particularly important or relevant to the backend courses. That concerns the actions of individual users outside of the scope of building an application. So IMO that feels out of place both in a backend course and as a responsibility of TOP, if that makes sense?