25 au 27 février, 2026
Montréal, Canada

Full-Stack security for web applications

  1. Accueil
  2. Montréal 2026
  3. Sessions

Formation en Anglais

Partager sur Twitter Partager sur Facebook

Other training is also available:
S'inscrire à la formation
Every day we hear about apps being hacked, and data breaches causing enormous disruption; let's learn how to avoid being the subject of such bad news! In this 1-day workshop, we will look at the whole deployment stack of a typical web application, and work through a set of configuration and code examples using vanilla PHP to discuss and demonstrate security problems, solutions, and defence-in-depth at every layer of the deployment stack, from cloud infrastructure all the way through firewalls, SSH & TLS config, injections, validation & escaping, and XSS.

We will also look at numerous testing and attack tools to check that what you're doing is actually working.

You'll work through examples (using PHP) using your own laptop and a provided Ubuntu VM.

Intro

  • Concepts
  • Defence in depth
  • Threat models
  • Put your black hat on

Part 1 - Setting up

  • Creating SSH keys
  • Configuring AWS security groups
  • Commissioning a server
  • Updating and installing essentials
  • Configuring a firewall (using ufw)
  • Testing access and SSH (ssh-audit and nmap)
  • Installing nginx, PHP, sqlite
  • DNS

Part 2 – Server config

  • Ownership and permissions
  • Defining a virtual server in nginx
  • Getting TLS certificates from letsencrypt using certbot
  • Testing TLS - qualys SSL labs and testssl.sh
  • Configuring php-fpm
  • Security concerns

Part 3 - Back-end security

  • Configuring CSP and other HTTP headers
  • Cookies & flags
  • SSRF
  • App development practices for security
  • Sanitization, validation, and escaping
  • SQL & command injection
  • Database encryption
  • Enumeration, IDOR, UUIDs
  • Static analysis
  • Authentication, password hashing, OAuth
  • Authorization

Part 4 - Front-end security

  • XSS
  • Input filtering, sanitization, validation, and escaping
  • CSRF
  • CORS
  • Using frameworks
  • Wrap up

Duration:

  • 1 day
  • 9:00 am to 5:00 pm
  • 1 hour lunch break included at the hotel's restaurant
  • 15 min coffee break every morning and afternoon

Marcus Bointon

Marcus Bointon

Devalps

I'm a pentester and writer for Radically Open Security, work on smartmessages.net, and support 1CRM. I'm the maintainer of PHPMailer (the second-most forked PHP project on GitHub!) and contribute to many other open-source projects. I'm a skier, songwriter, PHP & Laravel developer, privacy advocate, sysadmin, technical writer, and the author of "The HTTP/3 book". I've spoken at many conferences around the world. I live in the French alps with my wife, kids, guitars, skis, and bikes.

Read More

Montréal 2026 sponsored by

Devenir commanditaire
© 2010-2025 ConFoo. Tous droits réservés. Code de conduite