The embodiment of all webappsec knowledge is contained in @jeremiahg's blog. No matter how esoteric the question, the answer is there.