The Web started as a loosely designed, fragile system but has since evolved into critical infrastructure supporting applications far beyond its original client-server model. This transformation has been driven by the relentless demand for more functionality, leading to the introduction of JavaScript, advanced APIs like WebRTC and service workers, and faster network protocols like HTTP/3.

Yet, security was never part of the Web’s original design. Over time, the ecosystem has adapted to evolving threats, phasing out insecure connections, introducing same-origin policies, browser sandboxing, site isolation, and passwordless authentication. Cross-site tracking and fingerprinting emerged as threats, and both browsers and web standards had to change to defend user privacy. Efforts like the deprecation of third-party cookies and secure-by-default browsing signals show how security and privacy continue to evolve in the Web platform.

The Web isn’t slowing down. The push for new business and user-facing features such as extended reality APIs, trusted computing elements, and even generative AI-powered browsing agents, raises new security and privacy challenges. How do we ensure security at the pace of innovation? What lessons from past security mechanisms should guide the Web’s future? These are the questions we seek to explore.

Unlike other platforms, the Web’s security and privacy landscape emerge from a decentralized, multi-stakeholder ecosystem. Browser vendors, academic researchers, industry practitioners, and standards bodies each contribute independently, yet their collaboration is crucial. The Web Application Security Dagstuhl Seminar aims to bring together these communities to assess what has worked, what has failed, and what must come next.

For the 2026 edition, we will focus on two key areas:

• Security and privacy of the Web platform: How is the Web platform changing, and what challenges lie ahead? What are the raising concerns new paradigm shifts fueled by new technology? We will assess the current state of security and privacy of the Web platform, and anticipate future challenges.
• Observing, measuring, and acting on security and privacy threats: Effective security and privacy require continuous observation, yet monitoring the Web at scale presents significant challenges. We will discuss the state of measurements, the limitations of current monitoring efforts, and the obstacles in detecting and mitigating threats. How do we improve visibility into Web security risks? What tools, methodologies, and policies can help bridge the gap between detection and meaningful action?

Creative Commons BY 4.0

Martin Johns, Giancarlo Pellegrino, and John Wilander