Academy

Security

Security Is a Mindset, Not a Checklist

Every security vulnerability in this lesson follows the same pattern: developer-controlled data and user-controlled data were treated as the same thing. The attacker found a place where untrusted input was used as trusted instruction — and exploited it.

The fix is always the same principle in a different form: never trust input, validate at the boundary, escape at the output, separate data from code.

We cannot demonstrate live network attacks in this sandbox. We can demonstrate every underlying mechanism — the same JavaScript logic that makes attacks possible and the same patterns that prevent them.

Cross-Site Scripting (XSS)

XSS is the most common web vulnerability. It happens when user-supplied text is inserted into a page as HTML without escaping — turning a comment, a name, or a search term into executable code:

Injection — SQL, Command, and Path Traversal

Injection is XSS's server-side cousin. Untrusted input is concatenated into a command — SQL, shell, file path — and executed:

Prototype Pollution

JavaScript's prototype chain is a feature. It is also an attack surface. If an attacker can inject a key like __proto__ or constructor.prototype into an object merge operation, they can modify the prototype of every object in the application:

CSRF — Cross-Site Request Forgery

CSRF tricks a victim's browser into making an authenticated request to your server on behalf of the attacker. The browser automatically attaches cookies to every request — including ones initiated by a malicious third-party page:

Timing Attacks — When Time Leaks Information

A naive string comparison returns early as soon as it finds a mismatched character. This leaks information: if a token comparison takes slightly longer, it matched more characters. An attacker who can measure response times can deduce secret values one character at a time:

Dependency Security — Your Code Is the Smallest Part

Modern applications have hundreds of transitive dependencies. A single compromised package can inject malicious code into every project that depends on it:

Input Validation — Trust Nothing That Crosses a Boundary

Every input from outside your code — HTTP request body, URL parameter, file upload, WebSocket message, localStorage read — is untrusted. Validate at the boundary, reject anything that doesn't conform:

Secrets — Never in Source Code

The Security Principles — A Reference

What You Have Learned

Security is not a list of things to avoid. It is a way of reading your own code — asking at every input boundary: what happens if this value is controlled by an attacker?

The key ideas:

  • XSS: user input rendered as HTML executes as code — use textContent, escape HTML entities, set a strict CSP, use DOMPurify for rich text
  • Injection: user input concatenated into SQL/shell/path executes as command — use parameterised queries, validate paths against a base directory, whitelist file extensions
  • Prototype pollution: __proto__ or constructor.prototype in object merges modifies every object — block those keys, use Object.create(null) for stores, prefer structuredClone
  • CSRF: browsers auto-send cookies on cross-origin requests — CSRF tokens, SameSite=Strict, verify Origin header
  • Timing attacks: early-exit string comparison leaks information — constant-time comparison for all secrets and tokens
  • Supply chain: your dependencies can be compromised — pin versions, audit regularly, review unfamiliar packages
  • Validation: validate at every trust boundary, reject what doesn't conform — never let invalid data reach business logic
  • Secrets: never in source code, never in localStorage, never in query strings, never in logs — environment variables, HttpOnly cookies, Authorization headers

The Complete Course — What You Now Know

You started with "what is a program?" and ended here. Twenty-nine lessons across three tiers:

Beginner (01–08): variables, types, conditionals, functions, loops, arrays, objects — the foundation every JavaScript developer needs.

Intermediate (09–17): closures, higher-order functions, async/await, classes, error handling, modules, iterators, generators, Symbols, WeakMap, Proxies — the mechanisms that separate competent from expert.

Advanced (18–29): V8 internals, memory management, functional programming, concurrency, design patterns, testing, TypeScript, runtime environments, data structures, parsing, and security — the knowledge that lets you build systems that are fast, correct, and safe at scale.

The language is not the end. It is the beginning. Every framework, every library, every tool you will ever use is built from these primitives. You now have the foundation to read their source code, understand their design decisions, and build your own.