🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GWEB
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GWEB GIAC Certifications Coming Soon

GWEB

The GWEB certification teaches web developers and security engineers how to design resilient web architectures, enforce strong authentication, validate input, apply CSP and security headers, and secure APIs against modern threats.

180
Minutes
75
Questions
68/100
Passing Score
$979
Exam Cost

Who Should Take This

Ideal candidates are web application developers, security engineers, or DevSecOps practitioners with at least two years of experience building or protecting web services. They seek to deepen their knowledge of authentication, session management, input sanitization, CSP, security headers, and API hardening to meet enterprise security standards.

What's Covered

1 Web Application Security Architecture
2 Authentication and Session Security
3 Input Validation and Output Encoding
4 Content Security Policy and Security Headers
5 API Security
6 Web Application Firewall Configuration
7 Secure Development Lifecycle

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Web Application Security Architecture
2 topics

Defense-in-depth web architecture

  • Identify defense-in-depth layers for web applications including network segmentation, reverse proxy configuration, application-level controls, and database access restrictions that provide overlapping protection.
  • Implement TLS configuration best practices including certificate chain validation, cipher suite selection, HSTS deployment with preloading, certificate transparency monitoring, and automated certificate rotation.
  • Configure reverse proxy security including request filtering, header manipulation, connection limiting, and backend server isolation to create a hardened entry point for web application traffic.
  • Analyze web application deployment architectures to evaluate security boundary effectiveness, identify trust boundary violations, and assess the adequacy of network segmentation between web, application, and data tiers.

Secure web server configuration

  • Describe web server hardening principles including unnecessary module removal, directory listing prevention, error page customization, and server version header suppression.
  • Implement web server security configurations for Apache and Nginx including access control directives, request size limits, timeout settings, and logging configurations for security monitoring.
  • Evaluate web server security posture by analyzing configuration baselines against CIS benchmarks, testing for information disclosure, and assessing the effectiveness of rate limiting and request filtering controls.
2 Authentication and Session Security
3 topics

OAuth 2.0 and OpenID Connect security

  • Describe OAuth 2.0 grant types including authorization code, PKCE, client credentials, and device code and explain the security implications and appropriate use cases for each flow.
  • Implement OAuth 2.0 authorization code flow with PKCE including state parameter validation, redirect URI validation, token storage security, and refresh token rotation to prevent authorization bypass attacks.
  • Configure OpenID Connect integration with ID token validation, nonce verification, issuer validation, and scope management to implement secure single sign-on across web applications.
  • Analyze OAuth 2.0 implementation vulnerabilities including token leakage, redirect URI manipulation, scope elevation, and mix-up attacks to assess the security of deployed authorization flows.

SAML and federation security

  • Describe SAML 2.0 assertion structure, binding types, and the SP-initiated and IdP-initiated authentication flows with their respective security characteristics and vulnerability patterns.
  • Implement SAML assertion validation including XML signature verification, assertion expiration checks, audience restriction enforcement, and replay prevention to defend against assertion forgery attacks.
  • Evaluate SAML implementation security by testing for XML signature wrapping, assertion injection, comment truncation, and certificate validation weaknesses that could enable authentication bypass.

JWT security and session management

  • Identify JWT security vulnerabilities including algorithm confusion, none algorithm bypass, key confusion between HMAC and RSA, weak key usage, and token expiration mismanagement.
  • Implement secure JWT handling including algorithm whitelisting, strong key management, appropriate claim validation, token expiration enforcement, and secure storage practices for access and refresh tokens.
  • Configure session management controls including session ID entropy requirements, secure cookie attributes (HttpOnly, Secure, SameSite), idle timeout enforcement, and absolute session expiration.
  • Analyze session management implementations to identify fixation vulnerabilities, cross-site request forgery exposure, token theft vectors, and insufficient session invalidation during logout and password change events.
3 Input Validation and Output Encoding
3 topics

Server-side input validation

  • Describe injection attack categories including SQL injection, command injection, LDAP injection, and XML injection and explain how insufficient input validation enables each attack type.
  • Implement parameterized queries and prepared statements across SQL, NoSQL, and ORM frameworks to prevent injection attacks while maintaining application functionality and performance.
  • Apply server-side validation patterns including allowlist validation, type checking, length constraints, range verification, and canonical form normalization for all external input sources.
  • Implement file upload security controls including content type validation, magic byte verification, filename sanitization, storage isolation, and malware scanning for user-submitted files.
  • Analyze input validation bypass techniques including encoding manipulation, null byte injection, and Unicode normalization attacks to evaluate the robustness of validation controls.

Output encoding and XSS prevention

  • Describe cross-site scripting attack types including reflected, stored, and DOM-based XSS and explain how each exploits different trust boundaries between client and server.
  • Implement context-aware output encoding using HTML entity encoding, JavaScript encoding, URL encoding, and CSS encoding based on the rendering context where user-controlled data appears.
  • Apply DOM-based XSS prevention techniques including safe DOM API usage, avoiding dangerous sinks like innerHTML, and implementing trusted types to control dynamic content insertion in client-side code.
  • Evaluate XSS defense effectiveness by testing encoding completeness, identifying unprotected rendering contexts, and analyzing filter bypass vectors to assess residual cross-site scripting risk.

Template security and serialization

  • Identify server-side template injection and insecure deserialization vulnerabilities and describe how they enable remote code execution through uncontrolled template rendering and object reconstruction.
  • Implement serialization security controls including object type allowlists, integrity verification, and safe deserialization library configuration to prevent untrusted object reconstruction attacks.
4 Content Security Policy and Security Headers
2 topics

Content Security Policy configuration

  • Describe Content Security Policy directive categories including fetch directives, document directives, navigation directives, and reporting directives and explain how they restrict resource loading behavior.
  • Implement a Content Security Policy using script-src nonces or hashes, strict-dynamic propagation, default-src restriction, and report-uri configuration for XSS mitigation and policy violation monitoring.
  • Apply CSP deployment strategies including report-only mode testing, gradual policy tightening, third-party script management, and inline script elimination to achieve effective CSP without breaking application functionality.
  • Analyze CSP violation reports to identify policy gaps, detect bypass attempts, evaluate third-party script risks, and recommend policy refinements that balance security with application compatibility.

HTTP security header configuration

  • Identify HTTP security headers including X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin headers and describe the attack categories each header mitigates.
  • Implement comprehensive HTTP security header configurations including CORS policy for cross-origin resource sharing, Permissions-Policy for browser feature control, and Cross-Origin-Embedder-Policy for isolation.
  • Evaluate security header deployment by scanning header presence, validating directive values, testing CORS policy restrictiveness, and comparing configurations against security best practice benchmarks.
5 API Security
3 topics

REST API security

  • Describe the OWASP API Security Top 10 including broken object level authorization, broken authentication, excessive data exposure, and mass assignment and explain their exploitation patterns.
  • Implement REST API authentication and authorization including OAuth 2.0 bearer token validation, scope-based access control, object-level authorization checks, and API key management practices.
  • Configure API rate limiting and throttling using token bucket algorithms, sliding window counters, and tiered rate limits based on authentication level to prevent abuse and denial-of-service attacks.
  • Analyze REST API security posture by testing for IDOR vulnerabilities, evaluating response data exposure, assessing rate limiting effectiveness, and reviewing API versioning security implications.

GraphQL security

  • Identify GraphQL-specific security risks including introspection abuse, query depth attacks, batch query amplification, and field-level authorization bypass that differ from REST API vulnerability patterns.
  • Implement GraphQL security controls including query depth limiting, query complexity analysis, introspection disabling in production, persisted queries, and field-level authorization middleware.
  • Evaluate GraphQL API security by testing query complexity limits, analyzing schema exposure risks, assessing nested query resource consumption, and comparing authorization enforcement across resolver chains.

API gateway and management security

  • Implement API gateway security policies including request validation, schema enforcement, mTLS for backend communication, and centralized authentication to create a consistent security control plane.
  • Analyze API traffic patterns using gateway logs and monitoring data to detect anomalous usage, credential stuffing attempts, data scraping behavior, and API abuse indicative of automated attacks.
6 Web Application Firewall Configuration
2 topics

WAF deployment and rule management

  • Describe WAF deployment architectures including reverse proxy mode, transparent bridge mode, and cloud-hosted WAF and explain the security and performance trade-offs of each deployment pattern.
  • Implement WAF rule sets including OWASP Core Rule Set configuration, anomaly scoring threshold calibration, and paranoia level selection appropriate to the application's risk profile and false positive tolerance.
  • Configure custom WAF rules to protect application-specific endpoints including virtual patching for known CVEs, business logic attack prevention, and request pattern matching for targeted threats.
  • Analyze WAF effectiveness by reviewing blocked request patterns, false positive rates, bypass attempts, and detection coverage to optimize rule configurations and identify protection gaps.

Bot management and DDoS protection

  • Identify bot detection techniques including JavaScript challenges, CAPTCHA integration, browser fingerprinting, behavioral analysis, and reputation-based blocking for distinguishing legitimate from malicious automation.
  • Implement bot management policies that differentiate between good bots, bad bots, and automated attacks using multi-factor bot detection combining request rate, header analysis, and behavioral patterns.
  • Evaluate application-layer DDoS protection effectiveness by analyzing traffic baseline deviations, challenge pass rates, legitimate user impact, and the ability to distinguish volumetric from application-level attacks.
7 Secure Development Lifecycle
3 topics

Threat modeling for web applications

  • Describe threat modeling methodologies including STRIDE, PASTA, and attack trees and explain how they identify trust boundaries, data flows, and threat vectors specific to web application architectures.
  • Apply STRIDE threat modeling to a web application by identifying spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege threats across each data flow and trust boundary.
  • Evaluate threat model completeness by verifying all entry points, data stores, external dependencies, and trust boundary crossings are covered and that identified threats map to specific defensive controls.

Security testing in CI/CD

  • Identify security testing tool categories including SAST, DAST, IAST, SCA, and secret scanning and describe their placement in CI/CD pipelines for different stages of the development lifecycle.
  • Implement SAST integration in CI/CD pipelines with rule customization, false positive suppression, severity-based build gating, and developer-friendly finding remediation guidance.
  • Configure DAST scanning against staging environments with authenticated scan profiles, scope constraints, vulnerability verification, and integration with issue tracking for remediation workflows.
  • Analyze security testing pipeline effectiveness by evaluating finding accuracy, detection coverage against OWASP Top 10, remediation cycle times, and developer adoption rates to optimize the DevSecOps feedback loop.

Dependency and supply chain security

  • Identify software supply chain attack vectors including dependency confusion, typosquatting, compromised package maintainer accounts, and malicious pre-install scripts in npm, PyPI, and Maven ecosystems.
  • Implement software composition analysis with dependency vulnerability scanning, license compliance checking, SBOM generation, and automated pull request creation for dependency updates.
  • Evaluate dependency risk by analyzing vulnerability severity, exploit availability, transitive dependency depth, and maintenance activity to prioritize remediation and assess supply chain exposure.

Scope

Included Topics

  • All domains covered by the GIAC Certified Web Application Defender certification (GWEB) aligned with SANS SEC522: Web Application Security Architecture, Authentication and Session Security (OAuth 2.0, SAML, JWT), Input Validation and Output Encoding, Content Security Policy and Security Headers, API Security (REST, GraphQL), Web Application Firewall Configuration, and Secure Development Lifecycle.
  • Web application security architecture: defense-in-depth design, security zones, TLS configuration, certificate management, load balancer security, and reverse proxy hardening for web application deployments.
  • Authentication and session management: OAuth 2.0 authorization code flow with PKCE, SAML 2.0 federation, OpenID Connect, JWT security best practices, session fixation prevention, and multi-factor authentication integration.
  • Input validation and output encoding: server-side validation strategies, parameterized queries, context-aware output encoding (HTML, JavaScript, URL, CSS), DOM-based XSS prevention, and file upload security.
  • HTTP security headers and Content Security Policy: CSP directive configuration, HSTS deployment, X-Frame-Options, Referrer-Policy, Permissions-Policy, and browser security feature integration.
  • API security: REST API authentication and authorization, GraphQL query depth limiting and introspection control, rate limiting, input validation for API endpoints, and API gateway security configuration.
  • Web Application Firewall configuration: rule set management, custom rule creation, false positive tuning, bot management, DDoS protection integration, and WAF bypass detection.
  • Secure development lifecycle: threat modeling for web applications, secure code review practices, SAST and DAST integration in CI/CD, dependency vulnerability scanning, and security testing automation.

Not Covered

  • Offensive web application penetration testing techniques and exploit development that are covered by GIAC GWAPT rather than the defensive focus of GWEB.
  • General network security and infrastructure hardening outside the web application layer boundary.
  • Mobile application security testing and mobile-specific vulnerabilities outside the web application context.
  • Low-level protocol analysis and packet-level inspection that falls below the web application abstraction layer.
  • Cloud-specific security services and provider-native WAF implementations that are covered by cloud certification programs.

Official Exam Page

Learn more at GIAC Certifications

Visit

GWEB is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.