Auto-generate TOC in HTML

david-a-wheeler · david-a-wheeler · commit 45cf10d5194e · 2025-06-13T16:07:47.000-04:00
Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/docs/lfd121.md b/docs/lfd121.md
@@ -184,7 +184,7 @@ Dr. David A. Wheeler is an expert in developing secure software and in open sour
 
 # Table of contents
 
-[[TOC]]
+{:toc}
 
 # Part I: Requirements, Design, and Reuse
 
@@ -6723,294 +6723,3 @@ The LF education team needs:
 3. final exam for each of the 3 courses: 15 questions, preferably multiple choice, different than the ones in the end of chapter quizzes.
 
 Items 2 and 3 are covered in a separate file, to protect their confidentiality.
-
-# Part I: Requirements, Design, and Reuse
-
-# Course Introduction
-
-## Introduction
-
-## A Note from the Author
-
-## Motivation
-
-### Motivation: Why Is It Important to Secure Software?
-
-### Motivation: Why Take This course?
-
-# Security Basics
-
-## What Do We Need?
-
-### What Does “Security” Mean?
-
-### Security Requirements
-
-### What Is Privacy and Why It Is Important
-
-### Privacy Requirements
-
-## How Can We Get There?
-
-### Risk Management
-
-### Development Processes / Defense-in-Breadth
-
-### Protect, Detect, Respond
-
-### Vulnerabilities
-
-# Design
-
-## Secure Design Basics
-
-### What Are Security Design Principles?
-
-### Widely-Recommended Secure Design Principles
-
-### Least Privilege
-
-### Complete Mediation (Non-Bypassability)
-
-### The Rest of the Saltzer & Schroeder Design Principles
-
-### Other Design Principles
-
-# Reusing External Software
-
-## Supply Chain
-
-### Basics of Reusing Software
-
-### Selecting (Evaluating) Open Source Software
-
-### Downloading and Installing Reusable Software
-
-### Updating Reused Software
-
-# Part II: Implementation
-
-# Basics of Implementation
-
-### Implementation Overview
-
-# Input Validation
-
-## Input Validation Basics
-
-### Input Validation Basics Introduction
-
-### How Do You Validate Input?
-
-## Input Validation: Numbers and Text
-
-### Input Validation: A Few Simple Data Types
-
-### Sidequest: Text, Unicode, and Locales
-
-### Validating Text
-
-### Introduction to Regular Expressions
-
-### Using Regular Expressions for Text Input Validation
-
-### Countering ReDoS Attacks on Regular Expressions
-
-## Input Validation: Beyond Numbers and Text
-
-### Insecure Deserialization
-
-### Input Data Structures (XML, HTML, CSV, JSON, & File Uploads)
-
-### Minimizing Attack Surface, Identification, Authentication, and Authorization
-
-### Search Paths and Environment Variables (including setuid/setgid Programs)
-
-### Special Inputs: Secure Defaults and Secure Startup
-
-## Consider Availability on All Inputs
-
-### Consider Availability on All Inputs Introduction
-
-# Processing Data Securely
-
-## Processing Data Securely: General Issues
-
-### Prefer Trusted Data. Treat Untrusted Data as Dangerous
-
-### Avoid Default & Hardcoded Credentials
-
-### Avoid Incorrect Conversion or Cast
-
-## Processing Data Securely: Undefined Behavior / Memory Safety
-
-### Countering Out-of-Bounds Reads and Writes (Buffer Overflow)
-
-### Double-free, Use-after-free, and Missing Release
-
-### Avoid Undefined Behavior
-
-## Processing Data Securely: Calculate Correctly
-
-### Avoid Integer Overflow, Wraparound, and Underflow
-
-# Calling Other Programs
-
-## Introduction to Securely Calling Programs
-
-### Introduction to Securely Calling Programs - The Basics
-
-## Calling Other Programs: Injection and Filenames
-
-### SQL Injection
-
-### OS Command (Shell) injection
-
-### Other Injection Attacks
-
-### Filenames (Including Path Traversal and Link Following)
-
-## Calling Other Programs: Other Issues
-
-### Call APIs for Programs and Check What Is Returned
-
-### Handling Errors
-
-### Logging
-
-### Debug and Assertion Code
-
-### Countering Denial-of-Service (DoS) Attacks
-
-# Sending Output
-
-### Introduction to Sending Output
-
-### Countering Cross-Site Scripting (XSS)
-
-### Content Security Policy (CSP)
-
-### Other HTTP Hardening Headers
-
-### Cookies & Login Sessions
-
-### CSRF / XSRF
-
-### Open Redirects and Forwards
-
-### HTML **target** and JavaScript **window.open()**
-
-### Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF)
-
-### Same-Origin Policy and Cross-Origin Resource Sharing (CORS)
-
-### Format Strings and Templates
-
-### Minimize Feedback / Information Exposure
-
-### Avoid caching sensitive information
-
-### Side-Channel Attacks
-
-# Part III: Verification and More Specialized Topics
-
-# Verification
-
-## Basics of Verification
-
-### Verification Overview
-
-## Static Analysis
-
-### Static Analysis Overview
-
-### Software Composition Analysis (SCA)/Dependency Analysis
-
-## Dynamic Analysis
-
-### Dynamic Analysis Overview
-
-### Fuzz Testing
-
-### Web Application Scanners
-
-## Other Verification Topics
-
-### Combining Verification Approaches
-
-# Threat Modeling
-
-## Threat Modeling/Attack Modeling
-
-### Introduction to Threat Modeling
-
-### STRIDE
-
-# Cryptography
-
-## Applying Cryptography
-
-### Introduction to Cryptography
-
-### Symmetric/Shared Key Encryption Algorithms
-
-### Cryptographic Hashes (Digital Fingerprints)
-
-### Public-Key (Asymmetric) Cryptography
-
-### Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)
-
-### Storing Passwords
-
-### Transport Layer Security (TLS)
-
-### Other Topics in Cryptography
-
-# Other Topics
-
-## Vulnerability Disclosures
-
-### Receiving Vulnerability Reports
-
-### Respond To and Fix the Vulnerability in a Timely Way
-
-### Sending Vulnerability Reports to Others
-
-## Miscellaneous
-
-### Assurance Cases
-
-### Harden the Development Environment (Including Build and CI/CD Pipeline) & Distribution Environment
-
-### Distributing, Fielding/Deploying, Operations, and Disposal
-
-### Artificial Intelligence (AI), Machine Learning (ML), and Security
-
-### Formal Methods
-
-## Top Vulnerability Lists
-
-### OWASP Top 10
-
-### CWE Top 25
-
-## Concluding Notes
-
-### Conclusions
-
-# Part IV: Supporting Materials Not Part of the Course
-
-# Glossary
-
-# Further Reading
-
-# Old Mappings
-
-## OWASP Top 10 and CWE Top 25
-
-### OWASP Top 10 (2017 edition)
-
-### CWE Top 25 (2019 edition)
-
-# References
-
