Skip to content


CS 484: Secure Web App Development

(3 CR undergraduate, 4 CR graduate)

I. Instructor & Course Details

Chris Kanich,
Drop-In Office Hours: 3-4pm Thursdays & Fridays
Drop-In Hours location: SEO 908 on Friday, Zoom on Thursday

Graduate TA: Saurav Joshi,
Drop-In Office Hours (in-person or virtual): TBD
Drop-In Hours location: TBD

Course Modality and Schedule: This course is taught in person, in BH 209, 3:00pm - 4:15pm Mondays and Wednesdays. Please bring your laptop for in-class activities.

Blackboard Course Site:



Course Announcements

Whenever possible, course information will be conveyed using this website. Course discussion will happen via Piazza. Course assignments and assignment grades will be collected and returned through Gradescope. We will use iClicker cloud for in-class participation. You are responsible for checking this website for the reading schedule and ensuring that you complete all assignments, and keeping up to date on Piazza for any corrections/clarifications regarding assignments or other important information.

Blackboard will not be used in this course besides to communicate final grades. For all technical questions about Blackboard, email the Learning Technology Solutions team at

Email Expectations

Students are responsible for all information instructors send to your UIC email. Faculty messages should be regularly monitored and read in a timely fashion.

Please use Piazza private messages shared with the instructors (not just the professor or TA by name) if you wish to communicate with us directly. Please only use email for something that explicitly should be kept private only to that person.

Please email me if you face an unexpected situation that may impede your attendance, participation in required class and exam sessions, or timely completion of assignments.

II. Course Information

Web applications integrate concepts from software engineering, systems programming, and computer security. THis course teaches security through web development, enabling students to design, deploy, scale, attack, and defend modern web applications.

Web applications are simultaneously one of the most widely used and widely attacked forms of deployed code. At the same time, the concepts of computer security are best taught within a relatable context so that students can immediately apply their knowledge to relevant situations. The unique challenges inherent in building secure web applications made available to billions of potential users and attackers requires understanding how to use and integrate concepts from software engineering, systems programming, and computer security. This course integrates the concepts that underlie designing, deploying, attacking, and defending web applications to provide students with a foundational understanding of how to design and deploy scalable and secure web applications.

This class will teach students the concepts and techniques that enable web applications to maintain high performance in the face of numerous users and attackers. Students will learn and be able to apply software engineering concepts to manage the complexity of client‐side and server‐side software. Students will learn and be able to apply computer systems concepts to manage the scalability of the web application, and provide performant service to large numbers of simultaneous users. Students will learn and be able to apply computer security concepts to designing a web application which is robust to known and unknown attacks. Students will gain familiarity and facility with modern tools which enable creating applications that apply the aforementioned design, performance, and security concepts. Students will learn and be able to apply fundamental security concepts so that they can evaluate the security of future application designs in the face of potential future attacks.


While this course doesn’t require mastery of specific content from previous courses, it does require the ability to pick up new programming concepts quickly. Thus, credit or concurrent registration in CS 341 is required, as JavaScript incorporates rather esoteric concepts like closures, functional programming, and quite a bit of event driven programming, and having seen these paradigms previously will be of great help. Learning new languages and new programming paradigms are common tasks in the life of a software engineer; learning how to apply your underlying ability to decompose and systematize a task using a new language will implicitly be part of your learning experience in this class.

Growth Mindset

Course materials and assignments can be complex and challenging, but they are crucial to your intellectual and personal growth and development. There are times you may need extra help. Students who attend class consistently, complete all assignments, thoughtfully engage with feedback on work, develop good study strategies, visit the tutoring center, and contact faculty when they are struggling can develop a thorough understanding of the course material and ultimately succeed in the course!

Course Goals and Learning Outcomes

CS 484 satisfies the technical elective requirement for the Computer Science major in the College of Engineering.

Brief list of topics to be covered: CS 484 covers the details of HTTP protocols and the web ecosystem, the design and implementation of server side web software, the design and implementation of client side web software, computer security and web security fundamentals, and the synthesis of all of these concepts into designing and implementing full fledged secure web applications.

Required and Recommended Course Materials: There is no required book for this course. Readings and videos will be assigned that are publicly available on the Internet.

Required Technology: You are required to have a device capable of running the iClicker cloud software (smartphone preferred), and a laptop for developing software as part of the course assignments, activities, and projects.

Respect for Copyright: Please protect the copyright integrity of all course materials and content. Please do not upload course materials not created by you onto third-party websites or share content with anyone not enrolled in our course.


This syllabus is intended to give the student guidance on what may be covered during the semester and will be followed as closely as possible. However, as the instructor, I reserve the right to modify, supplement, and make changes as course needs arise. I will communicate such changes in advance through in-class announcements and in writing via this website.


Generative AI

You will almost certainly be using GenAI (ChatGPT, GitHub Copilot, Grammarly, etc) in some way for the rest of your career. You are encouraged to use whatever GenAI tools you would like to complete the assignments and final project in this class.

While these tools are amazing, please do not use their existence as an excuse to procrastinate on getting started with your assignments. They are good, but they aren’t that good.

While you can use GenAI on your homeworks, using autocomplete and copy-paste until the tests pass is not acceptable. You must understand any code that you use. We reserve the right to review your submitted code with you, and if you cannot explain the code you submitted, it will be considered a violation of the academic integrity code equivalent to plagiarism (see below).

Please remember that in-class assessments (quizzes and exams) are a comparatively large portion of your grade, and you cannot use GenAI on them.

This policy is subject to change as we all learn more about how GenAI works and doesn’t work as part of learning college level course content.

Grading Policy and Point Breakdown

Grades are curved based on an aggregate course score. There are separate curves for graduate and undergraduate students. This means that the course score cut-offs for an A, B, C etc. are not defined ahead of time: these will be set after the end of the course.

The course grade weighting is:

Task% of total grade
Beginning of Class Quizzes10
Class Participation10
Final Project (5 pt checkpoint + 10 pt final deliverable)15
Module exams50

Final grade assignment

I am committed to making sure the assessment of your learning in this course is comprehensive, fair, and equitable. Your grade in this class will be based on the number of points you earn out of the total number of points possible and is not based on your rank relative to other students. Furthermore, grades are assigned without strict limits on the proportion of each letter grade given in the course. If the class mean is 75% or higher, letter grades will be based on a straight scale using the following thresholds for grade cut-offs: A range from 90-100%, B range from 80-89.9%, C range from 70-79.9%, D range from 60-69.9%, and F given to 59.9% or lower. If the class mean is lower than 75%, the scale will be adjusted to compensate (e.g. 89% may become an A).

Under no circumstances will grades be adjusted down. You can use this straight grading scale as an indicator of your minimum grade in the course at any time during the course. You should keep track of your own points so that at any time during the semester you may calculate your minimum grade based on the total number of points possible at that particular time. If and when, for any reason, you have concerns about your grade in the course, please email me to schedule a time for you to speak with me or your TA so that we can discuss study techniques or alternative strategies to help you.

Homework late policy

Every assignment in this course is due at exactly the time stated on Gradescope, and while we will grade late assignments, they earn zero credit.

Gradescope deadlines are precise - an assignment is late if it was turned in one millisecond or one month late.

Gradescope deadlines are universal - you must turn in your code, and it doesn’t matter whether you didn’t turn it in because it wasn’t compiling, or couldn’t upload it to git, or couldn’t upload it to gradescope. You can turn in homework assignments an unlimited number of times, so we recommend that you turn them in early and often.

Because these deadlines are so rigid, by default we will not include your lowest homework in your final grade for the class. The later assignments and exams in the course are more difficult than the earlier ones, and there is no exceptional late policy - we recommend that you do not use these unless you genuinely need to, so that they’re available if unexpected issues come up.

If your lowest module exam, homework, quiz, or participation grades are higher than your course average, we will include them in the calculation of your final grade. This means that your lowest scores can’t hurt your final grade, they can only help it, so it will always be worth it to complete every assignment unless you literally already have a 100% grade in the class.


Beginning of class quizzes

Quizzes based on a basic understanding of the assigned readings and videos will be given at the beginning of each class period using iClicker Cloud. Class participation credit will be given for answering a certain percentage of all questions asked each class period. Every student will have their four lowest quizzes dropped, and class participation will be graded out of 25 total classes (which means you can miss 4 classes and still receive 100% of quiz points).

Class Participation

Participation is an incredibly important facet of this course. The baseline Class Participation grade will be based off of participating in classroom discussion questions and answering questions via iClicker. (iClicker questions are graded for participation, not correctness.) However, extra credit points may be added for substantial contributions, entirely at the instructor’s discretion. Exceptional participation includes early reports of errors in assignments, helpful discussion, contribution of helpful code to the common good of the class (e.g. test cases and/or testing scripts) and thoughtful discussions during lecture.


There are six homeworks planned for the semester. They are meant to be exercises that introduce you to the practical implementation of the concepts covered in class. Homeworks are more for your own benefit than for earning large portions of your grade in the class (that’s why they’re a low portion of your overall grade). Each exam will very likely include questions that will rely on your full understanding of the previous homework assignments and their solutions.

Your lowest homework score is dropped from your final grade.

Module exams

This class uses a module exam structure instead of traditional midterms and finals. Rather than a small number of high-stakes exams, there are five different 50-minute exams evenly spaced through the course. They will focus on each of the five different themes presented in the course, and while they will not ask questions directly about previous modules, each module builds off of the last, and understanding the content from previous modules may be needed to answer questions on a subsequent exam.

We also drop your lowest module exam. The final module exam happens during the final exam slot for the course, so if you’re already happy with your grade at the end of week 15, taking the final can only improve your grade, not lower it.

Academic Integrity

Consulting with your classmates on assignments is encouraged, except where noted. However, turn-ins are individual, and copying code from your classmates is considered plagiarism. For example, given the question “how did you do X?”, a great response would be “I used function Y, with W as the second argument. I tried Z first, but it didn’t work”. An inappropriate response would be “here is my code, look for yourself”. You should never look at someone else’s code, or show someone else your code. Either of these actions are considered academic dishonesty (cheating) and will be prosecuted as such.

To avoid suspicion of plagiarism, you must specify your sources (including GenAI tools) together with all turned-in materials. List classmates and GenAI tools you discussed your homework with and webpages from which you got inspiration. Plagiarism and cheating, as in copying the work of others, paying others to do your work, etc, is obviously prohibited, and will be reported. We will be running MOSS, an automated plagiarism detection tool, on all hand-ins. We will be adding the solutions provided by ChatGPT and similar tools to the MOSS assignment set, and anyone turning in code they do not fully understand will be considered a violation of the academic integrity policy.

I report all suspected academic integrity violations to the dean of students. If it is your first time, the dean of students may provide the option to informally resolve the case - this means the student agrees that my description of what happened is accurate, and the only repercussions on an institutional level are that it is noted that this happened in your internal, UIC files (i.e. the dean of students can see that this happened, but no professors or other people can, and it is not in your transcript). If this is not your first academic integrity violation in any of your classes, a formal hearing is held and the dean of students decides on the institutional consequences. After multiple instances of academic integrity violations, students may be suspended or expelled. For all cases, the student has the option to go through a formal hearing if they believe that they did not actually violate the academic integrity policy. If the dean of students agrees that they did not, then I revert their grade back to the original grade, and the matter is resolved.

If you are found responsible for violating the academic integrity policy, the penalty can range from receiving a zero on the assignment in question, receiving a grade deduction, or receiving an F in the class, depending on the severity of the violation.

As a student and member of the UIC community, you are expected to adhere to the Community Standards of academic integrity, accountability, and respect. Please review the UIC Student Disciplinary Policy for additional information.


Please see the Course Schedule for a weekly schedule of topics and activities.


Disability Accommodation Procedures

UIC is committed to full inclusion and participation of people with disabilities in all aspects of university life. If you face or anticipate disability-related barriers while at UIC, please connect with the Disability Resource Center (DRC) at, via email at, or call (312) 413-2183 to create a plan for reasonable accommodations. To receive accommodations, you will need to disclose the disability to the DRC, complete an interactive registration process with the DRC, and provide me with a Letter of Accommodation (LOA). Upon receipt of an LOA, I will gladly work with you and the DRC to implement approved accommodations.

Religious Accommodations

Following campus policy, if you wish to observe religious holidays, you must notify me by the tenth day of the semester. If the religious holiday is observed on or before the tenth day of the semester, you must notify me at least five days before you will be absent. Please submit this form by email with the subject heading: “YOUR NAME: Requesting Religious Accommodation.”


Inclusive Community

UIC values diversity and inclusion. Regardless of age, disability, ethnicity, race, gender, gender identity, sexual orientation, socioeconomic status, geographic background, religion, political ideology, language, or culture, we expect all members of this class to contribute to a respectful, welcoming, and inclusive environment for every other member of our class. If aspects of this course result in barriers to your inclusion, engagement, accurate assessment, or achievement, please notify me as soon as possible.

Name and Pronoun Use

If your name does not match the name on my class roster, please let me know as soon as possible. My pronouns are [she/her; he/him; they/them]. I welcome your pronouns if you would like to share them with me. For more information about pronouns, see this page:

Community Agreement/Classroom Conduct Policy

  • Be present by removing yourself from distractions, whether they be phone notifications, entire devices, conversations, or anything else.
  • Be respectful of the learning space and community. For example, no side conversations or unnecessary disruptions.
  • Use preferred names and gender pronouns.
  • Assume goodwill in all interactions, even in disagreement.
  • Facilitate dialogue and value the free and safe exchange of ideas.
  • Try not to make assumptions, have an open mind, seek to understand, and not judge.
  • Approach discussion, challenges, and different perspectives as an opportunity to “think out loud,” learn something new, and understand the concepts or experiences that guide other people’s thinking.
  • Debate the concepts, not the person.
  • Be gracious and open to change when your ideas, arguments, or positions do not work or are proven wrong.
  • Be willing to work together and share helpful study strategies.
  • Be mindful of one another’s privacy, and do not invite outsiders into our classroom.

Furthermore, our class (in person and online) will follow the CS Code of Conduct. If you are not adhering to our course norms, a case of behavior misconduct will be submitted to the Dean of Students and to the Director of Undergraduate Studies in the department of Computer Science. If you are not adhering to our course norms, you will not get full credit for your work in this class. For extreme cases of violating the course norms, credit for the course will not be given.

Engaging with Course Content

Our classroom provides an open space for a critical and civil exchange of ideas, inclusive of a variety of perspectives and positions. Some readings and other content may expose you to ideas, subjects, or views that may challenge you, cause you discomfort, or recall past negative experiences or traumas. I intend to discuss all subjects with dignity and humanity, as well as with rigor and respect for scholarly inquiry. If you would like me to be aware of a specific topic of concern, please email or visit my Student Drop-In Hours.

Student Parents

I know well how exhausting balancing school, childcare, and work can be. I would like to help support you and accommodate your family’s needs, so please don’t keep me in the dark. I hope you will feel safe disclosing your student-parent status to me so that I can help you anticipate and solve problems in a way that makes you feel supported. Unforeseen disruptions in childcare often put parents in the position of having to choose between missing classes to stay home with a child or leaving them with a less desirable backup arrangement. While this is not meant to be a long-term childcare solution, occasionally bringing a child to class in order to cover gaps in care is perfectly acceptable If your baby or young child comes to class with you, please plan to sit close to the door so that you can step outside without disrupting learning for other students if your child needs special attention. Non-parents in the class, please reserve seats near the door for your parenting classmates or others who may need to step out briefly.

VII. RESOURCES: Academic Success, Wellness, and Safety

We all need the help and the support of our UIC community. Please visit my drop-in hours for course consultation and other academic or research topics. For additional assistance, please contact your assigned college advisor and visit the support services available to all UIC students.

Academic Success


  • Counseling Services : You may seek free and confidential services from the Counseling Center at

  • Access U&I Care Program for assistance with personal hardships.

  • Campus Advocacy Network : Under Title IX, you have the right to an education that is free from any form of gender-based violence or discrimination. To make a report, email For more information or confidential victim services and advocacy, visit UIC’s Campus Advocacy Network at