app.meridian.example is the internet-facing crown jewel, and this is the chapter where the intruder tries hardest. Each topic takes one OWASP-class flaw, shows it exploited against the app in the Meridian lab, then builds the fix in Sam's code. It assumes HTTP and TLS from earlier and goes straight at the application layer.
8 topics
Almost every web vulnerability has one root cause: the application trusts something it should not — input from the browser, an ID in a URL, a token's own claims. This chapter is eight instances of that single idea, each a named OWASP category, each shown as an exploit against app.meridian.example and then closed in Sam's code. Where Chapter 5 was the attacker reaching the app, this is the attacker inside it.
The four defenses recur on every page: validate input, encode output, authenticate every request, and authorize every object. The chapter ends by assembling all eight flaws into the OWASP Top 10 — the map you can carry to any web application, including the parts not deep-dived here.
Most web flaws are one idea — the app trusts what it should not