I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why. (more about me, contact)

My trainings

And this is what they say about them: Originally, I've arranged Michal's training primarily for my colleagues because "of course I already know these things"... Michal has changed my mind in the first hour of the first day and continued to do so for the whole two days. Thanks to this training I finally understood some of the attack/defense concepts in full depth, and especially in the right context. — Jan Pospíšil, Senior PHP developer, Czech Radio

Public trainings

Come to my public trainings, everybody's welcome:

Trainings in Prague (or remote) are held regularly in the middle of March, June, September, and December, in other cities irregularly.

In-house trainings

Any public training can also be turned into an in-house training. As an extra, I offer these in-house-only courses:

Looking for Introduction to PHP, Classes and objects in PHP? I've handed them over to Martin Hujer. I've discontinued Web application performance, Martin Michálek runs a similar training.

My articles

Validity period of HTTPS certificates issued from a user-added CA is essentially 2 years
August 18, 2023

Since 2020, maximum lifetime of HTTPS certificates is limited to 1 year, exactly 398 days. I've previously written about the history and the reasons behind the change. But the reduced lifetime applies only to certificates issued from a public certification authority (CA) added to the operating system's or the browser's trusted root store by the vendor.

(read more…)

Overriding HTTP response headers in Chrome
May 4, 2023

Starting with Chrome 113, you can override HTTP response headers, or add a new one. This is handy as you can override e.g. some security headers for testing. The HTTP response header override will be applied before things like CSP are processed so you can modify the Content Security Policy for the page for example.

(read more…)

Check vulnerable packages with composer audit
January 25, 2023

When a security vulnerability is discovered in one of the PHP libraries you use, there are several options how you can learn about the bug before it's too late. I've written about PHP Security Advisories Database in one of my previous posts and how you can use it with Roave Security Advisories and a few other ways. However all of them require an extra package or a tool.

(read more…)

All articles

My talks


Upcoming talks

…at your event or conference, let me know!


DOM XSS and Trusted Types
May 11, 2023, OWASP Czech Chapter Meeting (60 minutes)

Co zajímá Špačka na nových verzích PHP? Czech
October 6, 2022, 51. sraz přátel PHP v Praze v CareCloudu (15 minutes)

Každej den je pátek, dejte mi od deployování svátek Czech
June 3, 2022, PHP live 2022 (40 minutes)

Jak princezna finálně zatočila s (DOM) XSS Czech
February 17, 2022, JSDays 2022 (60 minutes)

HTTPS není jen ten zámeček Czech
November 25, 2021, Webinář Asociace pro elektronickou komerci (APEK) (240 minutes)

All talks

Me answering questions

Michal Špaček: Před připojováním na veřejné Wi-Fi sítě už nevaruju
September 5, 2022, Lupa.cz

O temné straně UX designu
March 1, 2022, BlueGhost Update

Bezpečnost na internetu
February 2, 2021, Jak na sítě

Grading How Companies (In)Securely Store Passwords
August 1, 2019, All Things Auth Podcast

Engage in Continual Learning to Advance your IT Career
May 3, 2019, IT Career Energizer

All interviews