Authentication
The five common ways users prove they are who they claim to be โ passwords, OAuth, magic links, passkeys, SSO.
Authorization
After the login โ how the server keeps track of you (sessions vs JWTs) and decides what you're allowed to do (RBAC, ABAC, RLS).
Web security
The classes of attack that aren't about identity โ injection (XSS, SQLi, SSRF), forgery (CSRF), policy (CSP, CORS), and the modern supply-chain threats. The OWASP Top 10 in the language of a working web developer.
Security headers & checklist
The ship-it-safely hardening layer โ one checklist of the security response headers (HSTS, CSP, X-Content-Type-Options, frame-ancestors, Referrer-Policy, Permissions-Policy) and what each defends against, Subresource Integrity (SRI) for CDN scripts, and a traced walkthrough of debugging a real CORS error from the cryptic console message to the fix.