SecAppDev 2026 lecture details
An Updated Security Model of the Web
An up-to-date look at the browser security model, new browser features, and how mechanisms like the Sanitizer API, cookie prefixes, and script integrity help build more secure web applications.
Monday June 1st, 14:00 - 15:30
Room Lemaire
Add to calendar (ICS) Add to Google calendarAbstract
Web security is messy, complicated, and under constant evolution. Often, you even start wondering why certain issues cannot be solved by the browser directly.
In this session, we investigate the security model of the web. We learn how browsers think about security, and how we can leverage that to build more secure applications. We explicitly focus on new browser features and how they can be used. Examples include the sanitization API, new cookie prefixes, as well as features focusing on script integrity. This session will give you an up-to-date understanding of browser security in the modern age.
Key takeaway
Understand how browsers think about security, and how to leverage modern browser features in your applications.
Content level
Deep-dive
Target audience
Developers, architects, and security engineers building modern web applications.
Prerequisites
Basic knowledge of web applications, browser behavior, and common web security concepts.
Join us for SecAppDev. You will not regret it!
Grab your seat now
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
What's New in ASVS v5
Advanced lecture by Eden Sofia Yardeni in room West Wing
Tuesday June 2nd, 14:00 - 15:30
A practical session for security practitioners already familiar with ASVS, covering what changed in v5, how to apply it in code review, how it can be used alongside other AppSec tools, and common pitfalls / best practices.
Key takeaway: Coding standards are even more relevant in an age where LLMs are writing most code, making ASVS an increasingly useful resource.
The Art of Cross-site Leaks
Advanced lecture by Tom Van Goethem in room West Wing
Wednesday June 3rd, 14:00 - 15:30
XS-Leaks bypass the same-origin policy to infer sensitive user data via browser side-channels. Learn how these invisible attacks work, what browser vendors are doing, and the simple steps you can take to secure your applications.
Key takeaway: XS-Leaks bypass SOP through side channels and native browser features; learn how SameSite and Fetch Metadata help defend your apps.
Demystifying CSP for Modern Applications
Deep-dive lecture by Philippe De Ryck in room West Wing
Wednesday June 3rd, 09:00 - 10:30
CSP is often seen as complex and frustrating. This session explains why most policies fail, how to fix them, and how to apply CSP effectively in modern applications, including single page apps.
Key takeaway: Understand why CSP often fails and learn how to implement it correctly with practical, actionable guidance.