Real-World Web Security Projects

# CHAPTER 19

Real-World Web Security Projects #

1. Introduction #

Employers in the cybersecurity and software engineering industries do not hire based on theoretical knowledge alone; they hire based on demonstrated capability. To stand out, you must be able to prove that you can identify vulnerabilities and write the code required to fix them. In this chapter, we will outline five practical, portfolio-building projects. These projects are designed to demonstrate your mastery of secure coding, access control, and defense-in-depth architecture.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Build a secure authentication system from scratch.

• Implement a hardened file upload processing service.

• Develop a REST API secured by JSON Web Tokens and Rate Limiting.

• Architect an administrative dashboard enforcing strict Role-Based Access Control.

• Configure a web server with comprehensive security headers and logging.

3. Project 1: Secure PHP Authentication System (AppSec) #

The Goal: Prove you understand password hashing, session management, and brute-force mitigation. The Architecture:

1. 1. The Language: PHP with a MySQL database.

1. 2. The Workflow:

• Build a Registration form. Hash the password using password_hash() (Bcrypt).

• Build a Login form. Verify the hash.

• Implement Rate Limiting: If a user fails to log in 5 times within 10 minutes, lock the account temporarily.

• Session Security: Upon successful login, regenerate the session ID. Set the session cookie flags to Secure, HttpOnly, and SameSite=Lax.

1. 3. The Proof: Create a video showing the database storing Bcrypt hashes, and demonstrate the account lockout feature triggering after 5 failed login attempts.

4. Project 2: Hardened File Upload Platform (Backend/DevOps) #

The Goal: Prove you can prevent Remote Code Execution (RCE) via Web Shells. The Architecture:

1. 1. The Application: A simple profile picture upload feature.

1. 2. The Defenses:

• Validate the file extension (Allow-list: only .jpg, .png).

• Validate the Magic Bytes using finfo (Do not rely on the MIME type header).

• Discard the user's filename; generate a unique UUID for the new file.

• Store the uploaded file in a directory located *outside* the public web root (e.g., /var/www/uploads instead of /var/www/html/uploads).

1. 3. The Proof: Document an attempt to upload a file named shell.php. Show the backend successfully rejecting it. Document an attempt to upload a valid image, showing it safely stored with a randomized filename.

5. Project 3: REST API with JWT Authentication (Backend) #

The Goal: Prove you understand stateless authentication, API security, and BOLA prevention. The Architecture:

1. 1. The Framework: Node.js (Express) or Python (Flask/FastAPI).

1. 2. The Workflow:

• Create a /login endpoint that returns a signed JWT.

• Create a /data endpoint. Implement middleware that verifies the JWT signature and expiration.

• Prevent BOLA (IDOR): Ensure the /data/:id endpoint explicitly checks if the requested id belongs to the user_id encoded within the validated JWT.

1. 3. The Proof: Use Postman to demonstrate a successful API request with a valid Bearer token. Demonstrate a 403 Forbidden response when attempting to access another user's data (BOLA mitigation).

6. Project 4: Hardened Admin Dashboard (Architecture) #

The Goal: Prove you understand Role-Based Access Control (RBAC) and Defense in Depth. The Architecture:

1. 1. The Application: A dashboard with standard users and administrators.

1. 2. The Defenses:

• Implement RBAC. Ensure standard users are met with a 403 Forbidden if they attempt to access admin.php.

• Protect all state-changing forms (like "Delete User") with Anti-CSRF Tokens.

• Ensure all user-supplied data displayed on the dashboard is passed through Context-Aware Output Encoding (htmlspecialchars) to prevent XSS.

1. 3. The Proof: Provide code snippets showing the explicit Role check at the top of the admin scripts, and demonstrate the Anti-CSRF token hidden within the HTML form structure.

7. Project 5: Security Headers and Monitoring Setup (SysAdmin) #

The Goal: Prove you understand server-level hardening and security logging. The Architecture:

1. 1. The Server: Configure an Apache or Nginx web server.

1. 2. The Headers: Configure the server to globally apply HTTP Strict Transport Security (HSTS), X-Frame-Options (DENY), and X-Content-Type-Options (nosniff).

1. 3. The Logging: Configure the application to suppress verbose error messages from the browser, logging stack traces exclusively to a secure internal file (/var/log/app_errors.log).

1. 4. The Proof: Use a tool like curl -I or securityheaders.com to scan your server, screenshotting the "A" grade indicating the security headers are actively enforced.

8. How to Document Your Portfolio #

A GitHub repository with a single script is not a portfolio. You must write detailed engineering documents (READMEs) for each project.

• The "Why": Don't just paste code. Explain *why* you used Parameterized Queries instead of mysqli_real_escape_string().

• The Threat Model: Briefly explain the attacks your project mitigates (e.g., "This project mitigates OWASP Top 10 A01: Broken Access Control by enforcing..."). This proves professional maturity to hiring managers.

9. Summary #

In Chapter 19, we transitioned from academic theory to hands-on engineering. We mapped out five robust, professional-grade projects encompassing the core pillars of web application security: secure authentication and session management, rigorous file upload validation, stateless API authorization, strict RBAC, and server-level header configuration. By executing and meticulously documenting these projects, you transform abstract security concepts into tangible proof of capability, preparing yourself for the rigors of the cybersecurity job market.

10. Next Chapter Recommendation #

Your skills are sharp, and your portfolio is built. It is time to secure the job. Proceed to the final chapter: Chapter 20: Web Security Interview Questions and Career Roadmap.