Workshop: API Security Workshop with Dr. Philippe De Ryck (Online, Advanced)

Online-Workshop for Building Secure Backends

Learn to Protect Your Critical APIs!

Proven Interactive Workshop with Labs and Discussions

Building secure APIs and microservices is hard, really hard. Not only do you have to make the right architectural security decisions, you also have to be aware of various implementation vulnerabilities to ensure the security of your applications. This workshop provides API developers with the necessary knowledge to assess and improve the security of their APIs.


With a mix of lectures, demos, quizzes, and hands-on labs, participants discover best practices for building secure APIs. We investigate various techniques to implement authentication and authorization, along with their trade-offs and pitfalls. We dive deep into handling JSON Web Tokens, but also discuss the relevance of browser security features such as Cross-Origin Resource Sharing. Additionally, we discuss current best practices for securing an API with OAuth 2.0.


This workshop offers practical and immediately applicable security advice for API developers. Throughout the workshop, Philippe is available to answer any questions, including concrete scenarios applying to your own applications.

Didactic approach


This workshop is not just any workshop. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the workshop.


The workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs. The lectures provide in-depth knowledge of attacks and defenses. The hands-on labs are conducted in a custom-built competitive training environment, allowing participants to gain hands-on experience with offensive and defensive technologies.


Code examples and demos often use NodeJS and Spring Boot, but are easy to translate to other languages and frameworks.



  • Familiarity with building or designing API-based applications
  • Familiarity with the basics of security is helpful, but not required
  • An understanding of OAuth 2.0 and OpenID Connect (this free introduction course is the perfect starting point:
  • Access to a computer with a modern browser (Chrome is recommended)



      • Completely online – no travel required!
      • Interactive: ask questions and participate in discussions
      • True understanding of problems, solutions, and their trade-offs
      • Relevant for all API architects and developers
      • High-quality course materials to use as a reference
      • Lots of demos and lab sessions
      • Labs remain accessible after the workshop

The course of the training at a glance


  • The security model of APIs
  • Foundational API security principles
  • Configuring API security headers

API authentication and authorization

  • Basic API authentication techniques
  • Advanced API authentication
  • Common API authorization failures
  • Enforcing API authorization
  • API authorization best practices

The nonsense of "cookies vs tokens"

  • Managing user state in REST APIs
  • The good, the bad, and the ugly parts of cookies
  • Understanding Cross-Origin Resource Sharing (CORS)
  • Trade-offs and best practices

JSON Web Token security

  • Understanding the security features of JWTs
  • Practical JWT use cases
  • Common JWT security pitfalls
  • Token management challenges
  • Solving key management for JWTs
  • JWT security best practices

Securing APIs with OAuth 2.0

  • Access token types
  • Making authorization decisions with access tokens
  • Effectively using scopes and permissions
  • Outlook to OAuth 2.1

Public Workshops

Always By arrangement

All of our seminars are always available remotely or in-house. Contact us to make an appointment

Remote or In-House

24. 08 -
26. 08

Trainer: Manfred Steyer, GDE und Michael Zikes



30. 08 -
01. 09

Trainer: Manfred Steyer, GDE



28. 10 -
29. 10

Trainer: Rainer Hahnekamp



23. 11 -
25. 11

Trainer: Manfred Steyer, GDE und Michael Zikes



06. 12 -
07. 12

Trainer: Rainer Hahnekamp



The trainer has incredible knowledge of Angular and beyond and explains very understandably."

Participant in June 2019, Vienna

Only One Step Away!

Send us your inquery today - we help you with pleasure!

Jetzt anfragen!