diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d20621aed..346f83f96 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -26,7 +26,7 @@ jobs:
                     distribution: 'temurin'
                     java-version: '21'
             -   name: Pre-commit checks
-                uses: pre-commit/action@v3.0.0
+                uses: pre-commit/action@v3.0.1
             -   name: pre-commit-ci-lite
                 uses: pre-commit-ci/lite-action@v1.1.0
                 if: always()
diff --git a/pom.xml b/pom.xml
index 48d95ff3f..2b4e67f72 100644
--- a/pom.xml
+++ b/pom.xml
@@ -93,7 +93,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <thymeleaf.version>3.1.2.RELEASE</thymeleaf.version>
-    <waittimeForServerStart>30</waittimeForServerStart>
+    <waittimeForServerStart>60</waittimeForServerStart>
     <webdriver.version>5.9.2</webdriver.version>
     <webgoat.context>/</webgoat.context>
     <webgoat.sslenabled>false</webgoat.sslenabled>
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
index b7945cb83..4272b79ca 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
@@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-@RequestMapping("/JWT/jku")
+@RequestMapping("/JWT/")
 @RestController
 @AssignmentHints({
   "jwt-jku-hint1",
@@ -30,7 +30,7 @@ import org.springframework.web.bind.annotation.RestController;
 })
 public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
 
-  @PostMapping("/follow/{user}")
+  @PostMapping("jku/follow/{user}")
   public @ResponseBody String follow(@PathVariable("user") String user) {
     if ("Jerry".equals(user)) {
       return "Following yourself seems redundant";
@@ -39,7 +39,7 @@ public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
     }
   }
 
-  @PostMapping("/delete")
+  @PostMapping("jku/delete")
   public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
     if (StringUtils.isEmpty(token)) {
       return failed(this).feedback("jwt-invalid-token").build();
diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
index 237c0195d..56b88c9f4 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
@@ -52,7 +52,7 @@ import org.springframework.web.bind.annotation.RestController;
   "jwt-kid-hint5",
   "jwt-kid-hint6"
 })
-@RequestMapping("/JWT/kid")
+@RequestMapping("/JWT/")
 public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
 
   private final LessonDataSource dataSource;
@@ -61,7 +61,7 @@ public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
     this.dataSource = dataSource;
   }
 
-  @PostMapping("/follow/{user}")
+  @PostMapping("kid/follow/{user}")
   public @ResponseBody String follow(@PathVariable("user") String user) {
     if ("Jerry".equals(user)) {
       return "Following yourself seems redundant";
@@ -70,7 +70,7 @@ public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
     }
   }
 
-  @PostMapping("/delete")
+  @PostMapping("kid/delete")
   public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
     if (StringUtils.isEmpty(token)) {
       return failed(this).feedback("jwt-invalid-token").build();
diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
index be1da20fd..eae7e4cfe 100644
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import static org.springframework.util.StringUtils.hasText;
+
 import com.google.common.collect.Maps;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -117,7 +119,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
       BindingResult bindingResult,
       @CurrentUsername String username) {
     ModelAndView modelAndView = new ModelAndView();
-    if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
+    if (!hasText(form.getPassword())) {
       bindingResult.rejectValue("password", "not.empty");
     }
     if (bindingResult.hasErrors()) {
diff --git a/src/main/resources/lessons/authbypass/html/AuthBypass.html b/src/main/resources/lessons/authbypass/html/AuthBypass.html
index 2fdeeb826..3fe332619 100644
--- a/src/main/resources/lessons/authbypass/html/AuthBypass.html
+++ b/src/main/resources/lessons/authbypass/html/AuthBypass.html
@@ -23,7 +23,7 @@
             <form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
                   method="POST" name="form"
                   successCallback="onBypassResponse"
-                  action="auth-bypass/verify-account">
+                  th:action="@{/auth-bypass/verify-account}">
                 <p>Verify Your Account by answering the questions below:</p>
 
                 <p>What is the name of your favorite teacher?</p>
@@ -43,7 +43,7 @@
             <form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
                   method="POST" name="form"
                   successCallback="onBypassResponse"
-                  action="auth-bypass/verify-account"
+                  th:action="@{/auth-bypass/verify-account}"
                   style="display:none"><!-- start off hidden -->
                 <p>Please provide a new password for your account</p>
 
diff --git a/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
index d1c8d3001..e947734e2 100755
--- a/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
+++ b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
@@ -18,7 +18,7 @@
         <div class="container-fluid">
             <form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
                   method="POST"
-                  action="BypassRestrictions/FieldRestrictions">
+                  th:action="@{/BypassRestrictions/FieldRestrictions}">
 
                 <div class="bypass-input-container"><b>Select field with two possible value</b>
                     <div class="input-group">
diff --git a/src/main/resources/lessons/challenges/html/Challenge1.html b/src/main/resources/lessons/challenges/html/Challenge1.html
index 9122f2337..03f5f05cf 100644
--- a/src/main/resources/lessons/challenges/html/Challenge1.html
+++ b/src/main/resources/lessons/challenges/html/Challenge1.html
@@ -17,7 +17,7 @@
                 <div class="panel-body">
                     <form class="attack-form" accept-charset="UNKNOWN"
                           method="POST" name="form"
-                          action="challenge/1"
+                          th:action="@{/challenge/1}"
                           style="width: 200px;">
 
                         <div class="form-group">
@@ -37,7 +37,7 @@
             </div>
         </div>
 
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/1">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/1}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
diff --git a/src/main/resources/lessons/challenges/html/Challenge5.html b/src/main/resources/lessons/challenges/html/Challenge5.html
index 05de9f8e9..07df7bf80 100644
--- a/src/main/resources/lessons/challenges/html/Challenge5.html
+++ b/src/main/resources/lessons/challenges/html/Challenge5.html
@@ -25,7 +25,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="challenge/5" role="form">
+                                          th:action="@{/challenge/5}" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
                                                    class="form-control" placeholder="Username" value=""/>
@@ -66,7 +66,7 @@
             </div>
         </div>
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/5">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/5}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
diff --git a/src/main/resources/lessons/challenges/html/Challenge6.html b/src/main/resources/lessons/challenges/html/Challenge6.html
index 7197ebd17..90966349a 100644
--- a/src/main/resources/lessons/challenges/html/Challenge6.html
+++ b/src/main/resources/lessons/challenges/html/Challenge6.html
@@ -29,7 +29,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="challenge/6" role="form">
+                                          th:action="@{/challenge/6}" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
                                                    class="form-control" placeholder="Username" value=""/>
@@ -64,7 +64,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          action="challenge/6" style="display: none;" role="form">
+                                          th:action="@{/challenge/6}" style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"
                                                    class="form-control" placeholder="Username" value=""/>
@@ -99,7 +99,7 @@
             </div>
         </div>
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/6">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/6}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
diff --git a/src/main/resources/lessons/challenges/html/Challenge7.html b/src/main/resources/lessons/challenges/html/Challenge7.html
index 8643cdb67..57c988fe4 100644
--- a/src/main/resources/lessons/challenges/html/Challenge7.html
+++ b/src/main/resources/lessons/challenges/html/Challenge7.html
@@ -28,7 +28,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
 
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="challenge/7" role="form">
+                                          th:action="@{/challenge/7}" role="form">
 
                                         <div class="form-group">
                                             <div class="input-group">
@@ -57,7 +57,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
             </div>
         </div>
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/7">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/7}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
diff --git a/src/main/resources/lessons/challenges/html/Challenge8.html b/src/main/resources/lessons/challenges/html/Challenge8.html
index 5c70d5f6f..5900024a7 100644
--- a/src/main/resources/lessons/challenges/html/Challenge8.html
+++ b/src/main/resources/lessons/challenges/html/Challenge8.html
@@ -231,7 +231,7 @@
         </div>
 
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/8">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/8}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
diff --git a/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
index 5052bcf6f..983ad1699 100644
--- a/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
+++ b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
@@ -24,7 +24,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="DOMFollowUp"
-              action="ChromeDevTools/dummy">
+              th:action="@{/ChromeDevTools/dummy}">
             <input name="successMessage" value="" type="TEXT" />
             <input name="submitMessage" value="Submit" type="SUBMIT"/>
         </form>
@@ -45,7 +45,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="ChromeDevTools/network">
+              th:action="@{/chromeDevTools/network}">
             <script>
                 // sample custom javascript in the recommended way ...
                 // a namespace has been assigned for it, but you can roll your own if you prefer
@@ -66,7 +66,7 @@
 
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="ChromeDevTools/network">
+              th:action="@{/chromeDevTools/network}">
             <table>
                 <tr>
                     <td>What is the number you found:   </td>
diff --git a/src/main/resources/lessons/cia/html/CIA.html b/src/main/resources/lessons/cia/html/CIA.html
index 23c3d7330..d52ef36c1 100644
--- a/src/main/resources/lessons/cia/html/CIA.html
+++ b/src/main/resources/lessons/cia/html/CIA.html
@@ -29,7 +29,7 @@
         <div class="container-fluid">
             <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
-                  action="cia/quiz" role="form">
+                  th:action="@{/cia/quiz}" role="form">
                 <div id="q_container"></div>
                 <br />
                 <input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
diff --git a/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
index 599140ca5..a4cb8964e 100644
--- a/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
+++ b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
@@ -14,7 +14,7 @@
         <input type="hidden" id="user_id" value="102"/>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
         <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form"
-              action="clientSideFiltering/attack1">
+              th:action="@{/clientSideFiltering/attack1}">
             <link rel="stylesheet" type="text/css"
                   th:href="@{/lesson_css/clientSideFiltering-stage1.css}"/>
             <script th:src="@{/lesson_js/clientSideFiltering.js}"
diff --git a/src/main/resources/lessons/cryptography/html/Cryptography.html b/src/main/resources/lessons/cryptography/html/Cryptography.html
index d00faf9c0..d5cd568e4 100644
--- a/src/main/resources/lessons/cryptography/html/Cryptography.html
+++ b/src/main/resources/lessons/cryptography/html/Cryptography.html
@@ -28,7 +28,7 @@ $(document).ready(initialise);
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			Now suppose you have intercepted the following header:<br/>
 			<div id="basicauthtoken" ></div><br/>
-			<form class="attack-form" method="POST" name="form"	action="crypto/encoding/basic-auth">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/encoding/basic-auth}">
 			Then what was the username
 			<input name="answer_user" value="" type="TEXT"/>
 			and what was the password:
@@ -45,7 +45,7 @@ $(document).ready(initialise);
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/encoding/xor">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/encoding/xor}">
 			Suppose you found the database password encoded as {xor}Oz4rPj0+LDovPiwsKDAtOw==<br/>
 			What would be the actual password
 			<input name="answer_pwd1" value="" type="TEXT"/><br/>
@@ -62,7 +62,7 @@ $(document).ready(initialise);
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/hashing">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/hashing}">
 			Which password belongs to this hash: <div id="md5token" ></div>
 			<input name="answer_pwd1" value="" type="TEXT"/><br/>
 			Which password belongs to this hash: <div id="sha256token" ></div>
@@ -87,7 +87,7 @@ $(document).ready(initialise);
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			Now suppose you have the following private key:<br/>
 			<pre><div id="privatekey" ></div></pre><br/>
-			<form class="attack-form" method="POST" name="form"	action="crypto/signing/verify">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/signing/verify}">
 			Then what was the modulus of the public key
 			<input name="modulus" value="" type="TEXT"/>
 			and now provide a signature for us based on that modulus
@@ -110,7 +110,7 @@ $(document).ready(initialise);
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/secure/defaults">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/secure/defaults}">
 			What is the unencrypted message<br/>
 			<input name="secretText" value="" type="TEXT"/><br/>
 			and what is the name of the file that stored the password <br/>
diff --git a/src/main/resources/lessons/csrf/html/CSRF.html b/src/main/resources/lessons/csrf/html/CSRF.html
index 268cc0809..7ad8c573d 100644
--- a/src/main/resources/lessons/csrf/html/CSRF.html
+++ b/src/main/resources/lessons/csrf/html/CSRF.html
@@ -17,7 +17,7 @@
           method="POST" name="form1"
           target="_blank"
           successCallback=""
-          action="csrf/basic-get-flag">
+          th:action="@{/csrf/basic-get-flag}">
         <input name="csrf" type="hidden" value="false"/>
         <input type="submit" name="submit"/>
 
@@ -35,7 +35,7 @@
         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
               method="POST" name="form2"
               successCallback=""
-              action="csrf/confirm-flag-1">
+              th:action="@{/csrf/confirm-flag-1}">
 
             Confirm Flag Value:
             <input type="text" length="6" name="confirmFlagVal" value=""/>
@@ -93,7 +93,7 @@
                             <form class="attack-form" accept-charset="UNKNOWN" id="csrf-review"
                                   method="POST" name="review-form"
                                   successCallback=""
-                                  action="csrf/review">
+                                  th:action="@{/csrf/review}">
                                 <input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review"
                                        type="text"/>
                                 <input class="form-control" id="reviewStars" name="stars" type="text"/>
@@ -146,7 +146,7 @@
                             <form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
                                   method="POST"
                                   prepareData="feedback"
-                                  action="csrf/feedback/message"
+                                  th:action="@{/csrf/feedback/message}"
                                   contentType="application/json">
                                 <div class="row">
                                     <div class="col-md-6">
@@ -212,7 +212,7 @@
         </div>
         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-feedback"
               method="POST" name="form2"
-              action="csrf/feedback">
+              th:action="@{/csrf/feedback}">
 
             Confirm Flag Value:
             <input type="text" length="6" name="confirmFlagVal" value=""/>
@@ -236,7 +236,7 @@
         </div>
         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-login"
               method="POST" name="form2"
-              action="csrf/login">
+              th:action="@{/csrf/login}">
 
             Press the button below when your are logged in as the other user<br/>
 
diff --git a/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
index ad0da3e88..39581c7e1 100755
--- a/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
+++ b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
@@ -25,7 +25,7 @@
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"
                   method="POST"
-                  action="InsecureDeserialization/task">
+                  th:action="@{/InsecureDeserialization/task}">
 
                 <input type="textarea" rows="4" cols="40" value="" name="token" placeholder="token"/>
                 <input type="submit" value="Submit" />
diff --git a/src/main/resources/lessons/hijacksession/templates/hijackform.html b/src/main/resources/lessons/hijacksession/templates/hijackform.html
index 5f6927593..b216ac280 100644
--- a/src/main/resources/lessons/hijacksession/templates/hijackform.html
+++ b/src/main/resources/lessons/hijacksession/templates/hijackform.html
@@ -1,7 +1,7 @@
 <div class="row">
 	<div class="col-md-4">
 		<form class="attack-form" accept-charset="UNKNOWN" method="POST"
-			action="HijackSession/login">
+			th:action="@{/HijackSession/login}">
 			<div style="padding: 20px;" id="password-login">
 				<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
 				<fieldset>
diff --git a/src/main/resources/lessons/htmltampering/html/HtmlTampering.html b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
index 4e51877f0..9e35efd38 100755
--- a/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
+++ b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
@@ -13,7 +13,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
               method="POST"
-              action="HtmlTampering/task">
+              th:action="@{/HtmlTampering/task}">
             <script>
                 var regex = /^2999.99$/;
                 var price = 2999.99;
diff --git a/src/main/resources/lessons/httpbasics/html/HttpBasics.html b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
index 7314d00ec..d30e1f9e2 100644
--- a/src/main/resources/lessons/httpbasics/html/HttpBasics.html
+++ b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
@@ -21,10 +21,10 @@
             <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 			<form class="attack-form" accept-charset="UNKNOWN"
 				method="POST" name="form"
-				action="HttpBasics/attack1">
+				th:action="@{/HttpBasics/attack1}">
 				<div id="lessonContent">
 					<form accept-charset="UNKNOWN" method="POST" name="form"
-						action="#attack/307/100">
+						th:action="@{/#attack/307/100}">
 						Enter Your Name: <input name="person" value="" type="TEXT"/><input
 							name="SUBMIT" value="Go!" type="SUBMIT"/>
 					</form>
@@ -51,7 +51,7 @@
                 <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 				<form class="attack-form" accept-charset="UNKNOWN"
 					method="POST" name="form"
-					action="HttpBasics/attack2">
+					th:action="@{/HttpBasics/attack2}">
 					<script>
 					    // sample custom javascript in the recommended way ...
 					    // a namespace has been assigned for it, but you can roll your own if you prefer
diff --git a/src/main/resources/lessons/httpproxies/html/HttpProxies.html b/src/main/resources/lessons/httpproxies/html/HttpProxies.html
index 0866a2ddc..8a839c665 100644
--- a/src/main/resources/lessons/httpproxies/html/HttpProxies.html
+++ b/src/main/resources/lessons/httpproxies/html/HttpProxies.html
@@ -24,7 +24,7 @@
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
                   method="POST"
-                  action="HttpProxies/intercept-request">
+                  th:action="@{/HttpProxies/intercept-request}">
 
                 <input type="text" value="doesn't matter really" name="changeMe" />
                 <input type="submit" value="Submit" />
diff --git a/src/main/resources/lessons/idor/html/IDOR.html b/src/main/resources/lessons/idor/html/IDOR.html
index 70675606e..dc56b6d48 100644
--- a/src/main/resources/lessons/idor/html/IDOR.html
+++ b/src/main/resources/lessons/idor/html/IDOR.html
@@ -22,7 +22,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="IDOR/login">
+              th:action="@{/IDOR/login}">
             <table>
                 <tr>
                     <td>user/pass</td>
@@ -57,7 +57,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN"
               method="GET" name="form"
-              action="IDOR/profile">
+              th:action="@{/IDOR/profile}">
             <script th:src="@{/lesson_js/idor.js}" />
 
             <input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" />
@@ -80,7 +80,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form"
               method="POST" name="diff-form"
-              action="IDOR/diff-attributes">
+              th:action="@{/IDOR/diff-attributes}">
             <input name="attributes" type="text" />
             <input name="Submit Diffs" value="Submit Diffs" type="submit" />
         </form>
@@ -107,7 +107,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="IDOR/profile/alt-path">
+              th:action="@{/IDOR/profile/alt-path}">
             <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_inputAltPath.adoc}"></div>
             <input name="url" value="WebGoat/" type="text"/>
             <input name="submit" value="Submit" type="SUBMIT"/>
@@ -134,7 +134,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN" id="view-other"
               method="GET" name="view-other-profile"
-              action="IDOR/profile/{userId}">
+              th:action="@{/IDOR/profile/{userId}}">
             <script th:src="@{/lesson_js/idor.js}" />
 
             <input name="View Profile" value="View Profile" type="submit" />
@@ -158,7 +158,7 @@
         <!-- modify the action to point to the intended endpoint -->
         <form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
               method="GET" name="edit-other-profile"
-              action="IDOR/profile/{userId}">
+              th:action="@{/IDOR/profile/{userId}}">
             <script th:src="@{/lesson_js/idor.js}" />
 
             <input name="View Profile" value="View Profile" type="submit" />
diff --git a/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html b/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
index 42a30bbca..95ab72ce6 100755
--- a/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
+++ b/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
@@ -17,7 +17,7 @@
             <script th:src="@{/lesson_js/credentials.js}"></script>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"
                   method="POST"
-                  action="InsecureLogin/task">
+                  th:action="@{/InsecureLogin/task}">
 
                 <button onclick="javascript:submit_secret_credentials();return false;">Log in</button>
 
@@ -25,7 +25,7 @@
             <br></br>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"
                   method="POST"
-                  action="InsecureLogin/task">
+                  th:action="@{/InsecureLogin/task}">
 
                 <input type="text" value="" name="username" placeholder="username"/>
                 <input type="password" value="" name="password" placeholder="password" />
diff --git a/src/main/resources/lessons/jwt/html/JWT.html b/src/main/resources/lessons/jwt/html/JWT.html
index 0762c2a46..ad1b3db7d 100644
--- a/src/main/resources/lessons/jwt/html/JWT.html
+++ b/src/main/resources/lessons/jwt/html/JWT.html
@@ -17,7 +17,7 @@
     <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_decode.adoc}"></div>
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
-        <form id="decode" class="attack-form" method="POST" name="form" action="JWT/decode">
+        <form id="decode" class="attack-form" method="POST" name="form" th:action="@{/JWT/decode}">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <br>
             <div class="row">
@@ -53,7 +53,7 @@
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
               successCallback="jwtSigningCallback"
-              action="JWT/votings">
+              th:action="@{/JWT/votings}">
             <div class="container-fluid">
 
                 <div class="row">
@@ -124,7 +124,7 @@
         <div class="container-fluid">
             <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
-                  action="JWT/quiz"
+                  th:action="@{/JWT/quiz}"
                   role="form">
                 <div id="q_container"></div>
                 <br/>
@@ -155,7 +155,7 @@
 
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" method="POST" name="form" action="JWT/secret">
+        <form class="attack-form" method="POST" name="form" th:action="@{/JWT/secret}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
@@ -192,7 +192,7 @@
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
               additionalHeaders="addBearerToken"
-              action="JWT/refresh/checkout">
+              th:action="@{/JWT/refresh/checkout}">
             <div class="container-fluid">
                 <div class="row">
                     <div class="col-sm-12 col-md-10 col-md-offset-1">
@@ -314,12 +314,13 @@
     <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_claim_misuse_jku_assignment.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/jwt-jku.js}"></script>
+
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
-              action="JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_wOGlg-BYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ">
+              th:action="@{/JWT/jku/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.ewogICJpc3MiOiAiV2ViR29hdCBUb2tlbiBCdWlsZGVyIiwKICAiaWF0IjogMTUyNDIxMDkwNCwKICAiZXhwIjogMTYxODkwNTMwNCwKICAiYXVkIjogIndlYmdvYXQub3JnIiwKICAic3ViIjogImplcnJ5QHdlYmdvYXQuY29tIiwKICAidXNlcm5hbWUiOiAiSmVycnkiLAogICJFbWFpbCI6ICJqZXJyeUB3ZWJnb2F0LmNvbSIsCiAgIlJvbGUiOiBbCiAgICAiQ2F0IgogIF0KfQ.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_WOGlg-bYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ}">
             <div class="container-fluid">
                 <div id="toast"></div>
                 <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
@@ -380,12 +381,12 @@
     <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_claim_misuse_kid_assignment.adoc}"></div>
 
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/jwt-kid.js}"></script>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST"
-              action="JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8">
+              th:action="@{/JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.ewogICJpc3MiOiAiV2ViR29hdCBUb2tlbiBCdWlsZGVyIiwKICAiaWF0IjogMTUyNDIxMDkwNCwKICAiZXhwIjogMTYxODkwNTMwNCwKICAiYXVkIjogIndlYmdvYXQub3JnIiwKICAic3ViIjogImplcnJ5QHdlYmdvYXQuY29tIiwKICAidXNlcm5hbWUiOiAiSmVycnkiLAogICJFbWFpbCI6ICJqZXJyeUB3ZWJnb2F0LmNvbSIsCiAgIlJvbGUiOiBbCiAgICAiQ2F0IgogIF0KfQ.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8}">
             <div class="container-fluid">
                 <div id="toast"></div>
                 <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
@@ -421,7 +422,7 @@
                         <div class="card-footer">
                             <small>Last updated 12 days ago</small>
                             <button type="button" class="btn btn-info float-right btn-sm"
-                                    onclick="javascript:follow('Tom')">Follow
+                                    onclick="javascript:startFollowing('Tom')">Follow
                             </button>
                             <button class="btn btn-info float-right btn-sm">Delete</button>
                         </div>
diff --git a/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties b/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
index cb023f59f..709a1dd6a 100644
--- a/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
+++ b/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
@@ -26,15 +26,15 @@ jwt-refresh-alg-none=Nicely found! You solved the assignment with 'alg: none' ca
 jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
 jwt-final-not-tom=Username is not Tom try to pass a token for Tom
 
-jwt-jku-hint1=Take a look at the token and specifically and the header
-jwt-jku-hint2=The 'jku' (key ID) header parameter is a hint indicating which key is used to verify the JWS
+jwt-jku-hint1=Take a look at the token and specifically at the headers
+jwt-jku-hint2=The 'jku' header parameter hints a URL pointing to a set of keys used by the server to sign the JWT.
 jwt-jku-hint3=Could you use WebWolf to host the public key as a JWKS?
 jwt-jku-hint4=Create a key pair and sign the token with the private key
-jwt-jku-hint5=Change the JKU header claim and point it to a URL which hosts the public key in JWKS format.
+jwt-jku-hint5=Change the JKU header claim and point it to a URL that hosts the public key in JWKS format.
 
-jwt-kid-hint1=Take a look at the token and specifically and the header
-jwt-kid-hint2=The 'kid' (key ID) header parameter is a hint indicating which key was used to secure the JWS
-jwt-kid-hint3=The key can be located on the filesystem in memory or even reside in the database
+jwt-kid-hint1=Take a look at the token and specifically at the headers
+jwt-kid-hint2=The 'kid' (key ID) header parameter hints at the key was used to secure the JWS
+jwt-kid-hint3=The key resides can for example, either in the filesystem in memory or the database.
 jwt-kid-hint4=The key is stored in the database and loaded while verifying a token
-jwt-kid-hint5=Using a SQL injection you might be able to manipulate the key to something you know and create a new token.
-jwt-kid-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header and change the contents of the token to Tom and hit the endpoint with the new token
+jwt-kid-hint5=Using an SQL injection, you might be able to manipulate the key to a known object and create a new token.
+jwt-kid-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header change the contents of the token to Tom and hit the endpoint with the new token
diff --git a/src/main/resources/lessons/jwt/js/jwt-final.js b/src/main/resources/lessons/jwt/js/jwt-jku.js
similarity index 77%
rename from src/main/resources/lessons/jwt/js/jwt-final.js
rename to src/main/resources/lessons/jwt/js/jwt-jku.js
index 79e534cbf..5ae821c7e 100644
--- a/src/main/resources/lessons/jwt/js/jwt-final.js
+++ b/src/main/resources/lessons/jwt/js/jwt-jku.js
@@ -1,7 +1,7 @@
 function follow(user) {
     $.ajax({
         type: 'POST',
-        url: 'JWT/final/follow/' + user
+        url: 'JWT/kid/follow/' + user
     }).then(function (result) {
         $("#toast").append(result);
     })
diff --git a/src/main/resources/lessons/jwt/js/jwt-kid.js b/src/main/resources/lessons/jwt/js/jwt-kid.js
new file mode 100644
index 000000000..617dc5e76
--- /dev/null
+++ b/src/main/resources/lessons/jwt/js/jwt-kid.js
@@ -0,0 +1,8 @@
+function startFollowing(user) {
+    $.ajax({
+        type: 'POST',
+        url: 'JWT/kid/follow/' + user
+    }).then(function (result) {
+        $("#toast").append(result);
+    })
+}
diff --git a/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html b/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
index 47969e65b..dfba85a28 100644
--- a/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
+++ b/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
@@ -47,7 +47,7 @@
             <!-- modify the action to point to the intended endpoint and set other attributes as desired -->
             <form class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
-                  action="lesson-template/sample-attack">
+                  th:action="@{/lesson-template/sample-attack}">
                 <table>
                     <tr>
                         <td>two random params</td>
diff --git a/src/main/resources/lessons/logging/html/LogSpoofing.html b/src/main/resources/lessons/logging/html/LogSpoofing.html
index 9c50594ff..8ed1f1a9c 100755
--- a/src/main/resources/lessons/logging/html/LogSpoofing.html
+++ b/src/main/resources/lessons/logging/html/LogSpoofing.html
@@ -16,7 +16,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" name="task"
               method="POST"
-              action="LogSpoofing/log-spoofing">
+              th:action="@{/LogSpoofing/log-spoofing}">
 
             <input type="text" value="" name="username" placeholder="username"/>
             <input type="password" value="" name="password" placeholder="password"/>
@@ -38,7 +38,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" name="task"
               method="POST"
-              action="LogSpoofing/log-bleeding">
+              th:action="@{/LogSpoofing/log-bleeding}">
 
             <input type="text" value="" name="username" placeholder="username"/>
             <input type="password" value="" name="password" placeholder="password"/>
diff --git a/src/main/resources/lessons/missingac/html/MissingFunctionAC.html b/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
index 967f034da..73b49b992 100644
--- a/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
+++ b/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
@@ -52,7 +52,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="access-control/hidden-menu">
+              th:action="@{/access-control/hidden-menu}">
 
             <p>Hidden item 1 <input name="hiddenMenu1" value="" type="TEXT"/></p>
             <p>Hidden item 2 <input name="hiddenMenu2" value="" type="TEXT"/></p>
@@ -75,7 +75,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="access-control/user-hash">
+              th:action="@{/access-control/user-hash}">
 
             <p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
             <br/>
@@ -97,7 +97,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="access-control/user-hash-fix">
+              th:action="@{/access-control/user-hash-fix}">
 
             <p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
             <br/>
diff --git a/src/main/resources/lessons/passwordreset/html/PasswordReset.html b/src/main/resources/lessons/passwordreset/html/PasswordReset.html
index 6424d3ff7..bdfa2b6c9 100644
--- a/src/main/resources/lessons/passwordreset/html/PasswordReset.html
+++ b/src/main/resources/lessons/passwordreset/html/PasswordReset.html
@@ -23,7 +23,7 @@
 
                     <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
                           method="POST"
-                          action="PasswordReset/simple-mail/reset">
+                          th:action="@{/PasswordReset/simple-mail/reset}">
                         <div style="display: none;" id="password-reset-2">
                             <h4 class="">Forgot your password?</h4>
 
@@ -47,7 +47,7 @@
                     </form>
                     <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
                           method="POST"
-                          action="PasswordReset/simple-mail">
+                          th:action="@{/PasswordReset/simple-mail}">
                         <div style="padding: 20px;" id="password-login-2">
                             <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
                                 Account
diff --git a/src/main/resources/lessons/passwordreset/templates/password_reset.html b/src/main/resources/lessons/passwordreset/templates/password_reset.html
index a5c3647b7..f620879a5 100644
--- a/src/main/resources/lessons/passwordreset/templates/password_reset.html
+++ b/src/main/resources/lessons/passwordreset/templates/password_reset.html
@@ -9,7 +9,7 @@
 <div class="container">
     <div class="row">
         <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
-            <form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
+            <form role="form" method="POST" th:action="@{/PasswordReset/reset/change-password}" th:object="${form}" novalidate="novalidate">
                 <h2 class="sign_up_title">Reset your password</h2>
                     <div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
                         <input type="hidden" name="resetLink" th:field="*{resetLink}" />
diff --git a/src/main/resources/lessons/pathtraversal/html/PathTraversal.html b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
index 4d9f0e2f1..0dbd357e4 100644
--- a/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
+++ b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
@@ -22,7 +22,7 @@
                   informationalCallback="profileUploadCallback"
                   prepareData="profileUpload"
                   enctype="multipart/form-data"
-                  action="PathTraversal/profile-upload">
+                  th:action="@{/PathTraversal/profile-upload}">
                 <div class="preview text-center">
                     <img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
                          height="200" id="preview"/>
@@ -76,7 +76,7 @@
                   informationalCallback="profileUploadCallbackFix"
                   prepareData="profileUploadFix"
                   enctype="multipart/form-data"
-                  action="PathTraversal/profile-upload-fix">
+                  th:action="@{/PathTraversal/profile-upload-fix}">
                 <div class="preview text-center">
                     <img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
                          height="200" id="previewFix"/>
@@ -131,7 +131,7 @@
                   informationalCallback="profileUploadCallbackRemoveUserInput"
                   prepareData="profileUploadRemoveUserInput"
                   enctype="multipart/form-data"
-                  action="PathTraversal/profile-upload-remove-user-input">
+                  th:action="@{/PathTraversal/profile-upload-remove-user-input}">
                 <div class="preview text-center">
                     <img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
                          height="200" id="previewRemoveUserInput"/>
diff --git a/src/main/resources/lessons/securepasswords/html/SecurePasswords.html b/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
index adc3869cc..1e09d31d1 100644
--- a/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
+++ b/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
@@ -20,7 +20,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SecurePasswords/assignment"
+              th:action="@{/SecurePasswords/assignment}"
               autocomplete="off">
 
             <div class="input-group input-group">
diff --git a/src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html b/src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html
index 3980f1380..4c0c4b7b3 100644
--- a/src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html
+++ b/src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html
@@ -1,7 +1,7 @@
 <div class="row">
 	<div class="col-md-4">
 		<form class="attack-form" accept-charset="UNKNOWN" method="POST"
-			action="SpoofCookie/login">
+			th:action="@{/SpoofCookie/login}">
 			<div style="padding: 20px;" id="password-login">
 				<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
 				<fieldset>
diff --git a/src/main/resources/lessons/sqlinjection/html/SqlInjection.html b/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
index 4e5a7cc6f..baafc3d0f 100644
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
@@ -15,7 +15,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/attack2"
+              th:action="@{/SqlInjection/attack2}"
               autocomplete="off">
             <table>
                 <tr>
@@ -39,7 +39,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/attack3"
+              th:action="@{/SqlInjection/attack3}"
               autocomplete="off">
             <table>
                 <tr>
@@ -63,7 +63,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/attack4"
+              th:action="@{/SqlInjection/attack4}"
               autocomplete="off">
             <table>
                 <tr>
@@ -87,7 +87,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/attack5"
+              th:action="@{/SqlInjection/attack5}"
               autocomplete="off">
             <table>
                 <tr>
@@ -143,7 +143,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/assignment5a">
+              th:action="@{/SqlInjection/assignment5a}">
             <table>
                 <tr>
                     <td>SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '</td>
@@ -188,7 +188,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/assignment5b">
+              th:action="@{/SqlInjection/assignment5b}">
             <table>
                 <tr>
                     <td>Login_Count:</td>
@@ -216,7 +216,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/attack8"
+              th:action="@{/SqlInjection/attack8}"
               autocomplete="off">
             <table>
                 <tr>
@@ -244,7 +244,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/attack9"
+              th:action="@{/SqlInjection/attack9}"
               autocomplete="off">
             <table>
                 <tr>
@@ -273,7 +273,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjection/attack10"
+              th:action="@{/SqlInjection/attack10}"
               autocomplete="off">
             <table>
                 <tr>
diff --git a/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html b/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
index 4d463ee54..08b7f5397 100644
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
@@ -20,7 +20,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjectionAdvanced/attack6a">
+              th:action="@{/SqlInjectionAdvanced/attack6a}">
             <table>
                 <tr>
                     <td>Name:</td>
@@ -33,7 +33,7 @@
         </form>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjectionAdvanced/attack6b">
+              th:action="@{/SqlInjectionAdvanced/attack6b}">
             <table>
                 <tr>
                     <td>Password:</td>
@@ -79,7 +79,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="SqlInjectionAdvanced/challenge_Login"
+                                          th:action="@{/SqlInjectionAdvanced/Challenge_Login}"
                                           role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
@@ -115,7 +115,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          action="SqlInjectionAdvanced/challenge"
+                                          th:action="@{/SqlInjectionAdvanced/challenge}"
                                           style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"
@@ -168,7 +168,7 @@
             <div class="container-fluid">
                 <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                       method="POST" name="form"
-                      action="SqlInjectionAdvanced/quiz"
+                      th:action="@{/SqlInjectionAdvanced/quiz}"
                       role="form">
                     <div id="q_container"></div>
                     <br />
diff --git a/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html b/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
index 9e1fc4e89..3a242afd9 100644
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
@@ -23,7 +23,7 @@
     <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10a">
+        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack10a}">
             <div>
                 <p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
                 <p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
@@ -42,7 +42,7 @@
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc}"></div>
     <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
-        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10b">
+        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack10b}">
             <div>
                 <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
                 <script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
@@ -72,7 +72,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlOnlyInputValidation/attack"
+              th:action="@{/SqlInjectionMitigations/attack}"
               enctype="application/json;charset=UTF-8">
             <table>
                 <tr>
@@ -95,7 +95,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlOnlyInputValidationOnKeywords/attack"
+              th:action="@{/SqlInjectionMitigations/attack}"
               enctype="application/json;charset=UTF-8">
             <table>
                 <tr>
@@ -124,7 +124,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="SqlInjectionMitigations/attack12a">
+              th:action="@{/SqlInjectionMitigations/attack12a}">
             <div class="container-fluid">
                 <div class="row">
                     <div class="panel panel-primary">
@@ -173,7 +173,7 @@
                 <br/>
             </div>
         </form>
-        <form class="attack-form" method="POST" name="form" action="SqlInjectionMitigations/attack12a">
+        <form class="attack-form" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack12a}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon">IP address webgoat-prd server:</div>
diff --git a/src/main/resources/lessons/ssrf/html/SSRF.html b/src/main/resources/lessons/ssrf/html/SSRF.html
index b0b15be21..c51afc9a7 100755
--- a/src/main/resources/lessons/ssrf/html/SSRF.html
+++ b/src/main/resources/lessons/ssrf/html/SSRF.html
@@ -12,7 +12,7 @@
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
-                  action="SSRF/task1">
+                  th:action="@{/SSRF/task1}">
                 <table>
                     <tr>
                         <td><input type="hidden" id="url1" name="url" value="images/tom.png"/></td>
@@ -34,7 +34,7 @@
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
-                  action="SSRF/task2">
+                  th:action="@{/SSRF/task2}">
                 <table>
                     <tr>
                         <td><input type="hidden" id="url2" name="url" value="images/cat.png"/></td>
diff --git a/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html b/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
index 0cf5f1310..cf82b7eae 100644
--- a/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
+++ b/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
@@ -18,7 +18,7 @@
 
         <form class="attack-form" accept-charset="UNKNOWN"  style="position:relative;top:150px"
               method="POST" name="form"
-              action="WebWolf/mail">
+              th:action="@{/WebWolf/mail}">
             <div class="container-fluid">
                 <div class="row">
                     <div class="col-md-4">
@@ -39,7 +39,7 @@
         <!-- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
         <form class="attack-form" accept-charset="UNKNOWN"  style="position:relative;top:-50px"
               method="POST" name="secondform"
-              action="WebWolf/mail/send">
+              th:action="@{/WebWolf/mail/send}">
             <div class="container-fluid">
                 <div class="row">
                     <div class="col-md-4">
diff --git a/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc
index db2eb1d9d..6c600f5f1 100644
--- a/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc
+++ b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc
@@ -7,4 +7,4 @@ Why is that?
 That is because no link triggers that XSS.
 You can try it yourself to see what happens ... go to:
 
-link:/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111["/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111",window=_blank]
+link:CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111["CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111",window=_blank]
diff --git a/src/main/resources/lessons/xss/html/CrossSiteScripting.html b/src/main/resources/lessons/xss/html/CrossSiteScripting.html
index 7a4297cb7..a77ef7437 100644
--- a/src/main/resources/lessons/xss/html/CrossSiteScripting.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScripting.html
@@ -12,7 +12,7 @@
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
 				  method="POST" name="form"
-				  action="CrossSiteScripting/attack1">
+				  th:action="@{/CrossSiteScripting/attack1}">
 				<table>
 					<tr>
 						<td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
@@ -46,7 +46,7 @@
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
 				  method="GET" name="xss-5a"
-				  action="CrossSiteScripting/attack5a">
+				  th:action="@{/CrossSiteScripting/attack5a}">
 				<center>
 					<h4>Shopping Cart</h4>
 				</center>
@@ -133,7 +133,7 @@
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
 			  method="POST" name="DOMTestRoute"
-			  action="CrossSiteScripting/attack6a">
+			  th:action="@{/CrossSiteScripting/attack6a}">
 			<input name="DOMTestRoute" value="" type="TEXT" />
 			<input name="SubmitTestRoute" value="Submit" type="SUBMIT"/>
 		</form>
@@ -148,7 +148,7 @@
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
 			  method="POST" name="DOMFollowUp"
-			  action="CrossSiteScripting/dom-follow-up">
+			  th:action="@{/CrossSiteScripting/dom-follow-up}">
 			<input name="successMessage" value="" type="TEXT" />
 			<input name="submitMessage" value="Submit" type="SUBMIT"/>
 		</form>
@@ -168,7 +168,7 @@
 		<div class="container-fluid">
 			<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
 				  method="POST" name="form"
-				  action="CrossSiteScripting/quiz" role="form">
+				  th:action="@{/CrossSiteScripting/quiz}" role="form">
 				<div id="q_container"></div>
 				<br />
 				<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
diff --git a/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html b/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
index 2ea32b34b..a7896527f 100644
--- a/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
@@ -21,7 +21,7 @@
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8b.adoc}"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
-		<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="CrossSiteScripting/attack3">
+		<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/CrossSiteScripting/attack3}">
 			<div>
 				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor"></div>
 				<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
@@ -41,7 +41,7 @@
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8c.adoc}"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
-		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="CrossSiteScripting/attack4">
+		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/CrossSiteScripting/attack4}">
 			<div>
 				<div id="editor2" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor2"></div>
 				<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
diff --git a/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
index 6bd0c1977..53e55c4ac 100644
--- a/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
@@ -67,7 +67,7 @@
 
 		<form class="attack-form" accept-charset="UNKNOWN"
 			  method="POST" name="DOMFollowUp"
-			  action="CrossSiteScriptingStored/stored-xss-follow-up">
+			  th:action="@{/CrossSiteScriptingStored/stored-xss-follow-up}">
 			<input name="successMessage" value="" type="TEXT" />
 			<input name="submitMessage" value="Submit" type="SUBMIT"/>
 		</form>
diff --git a/src/main/resources/lessons/xxe/html/XXE.html b/src/main/resources/lessons/xxe/html/XXE.html
index 86bd9f178..9269cbfcb 100644
--- a/src/main/resources/lessons/xxe/html/XXE.html
+++ b/src/main/resources/lessons/xxe/html/XXE.html
@@ -28,7 +28,7 @@
               successCallback="simpleXXECallback"
               failureCallback="simpleXXECallback"
               contentType="application/xml"
-              action="xxe/simple">
+              th:action="@{/xxe/simple}">
             <div class="container-fluid">
                 <div class="panel post">
                     <div class="post-heading">
@@ -94,7 +94,7 @@
               prepareData="contentTypeXXE"
               successCallback="contentTypeXXECallback"
               failureCallback="contentTypeXXECallback"
-              action="xxe/content-type"
+              th:action="@{/xxe/content-type}"
               contentType="application/json">
             <div class="container-fluid">
                 <div class="panel post">
@@ -166,7 +166,7 @@
               prepareData="blindXXE"
               successCallback="blindXXECallback"
               failureCallback="blindXXECallback"
-              action="xxe/blind"
+              th:action="@{/xxe/blind}"
               contentType="application/xml">
             <div class="container-fluid">
                 <div class="panel post">