Application Security
Hands-on labs and tooling for web security failures, API authorization, CSP, and secure-by-default builds.
Labs & Projects
All projects →- CSP Playground
A real iframe enforcing whatever Content-Security-Policy you paste, with every violation piped into a console mirror. Ten preset bypass scenarios — JSONP-on-allowlist, dangling-markup, 'strict-dynamic' without a nonce, eval, wildcards — plus a 12-rule paste-or-scan analyzer that exports to SARIF for GitHub Code Scanning.
- AuthZ Lab — IDOR / BOLA
OWASP API Top 10 #1 made tangible. Pick a user, ask for someone else's order, and watch the naive endpoint hand it over while the hardened one returns 404 — not 403, because 403 leaks existence. Plus an 8-rule pattern catalog with SARIF export.
- Labs
Six hands-on security playgrounds in one place: phishing-resistant identity, agent identity / RFC 8693 delegation, Content Security Policy, prompt injection, SSRF / cloud metadata, and IDOR / BOLA. Each lab pairs a working tool or simulator with the failure modes I've seen in production.
- Secure-by-default Next.js Starter
Next.js 15 template that boots with nonce-based CSP, the OWASP/CIS header set, rate limiting, Zod input validation, and an audit log helper. Aligned with NIST SP 800-218.