Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).

Show Notes

• 00:00 ">00:00 Welcome to Syntax!
• 00:31 ">00:31 Brought to you by Sentry.io.
• 00:57 ">00:57 Who is Alex Sexton?
• 04:44 ">04:44 Stripe dashboard is a work of art.
• 05:08 ">05:08 Tell us about the design system.
• React Aria
  
• 08:59 ">08:59 Who develops the iOS app?
• 09:50 ">09:50 Stripe’s CSP (content security policy).
• 12:50 ">12:50 What even is a content security policy?
• Content Security Policy explanation
  
• 13:57 ">13:57 Douglas Crockford of Yahoo on security.
• Douglas on GitHub
  
• 15:13 ">15:13 Security philosophy.
• 16:59 ">16:59 What about inline styles and inline JavaScript?
• 19:41 ">19:41 How do we safely set inline styles from JS?
• 20:20 ">20:20 Setting up with meta tags.
• 22:52 ">22:52 What are common situations that require security exceptions?
• 26:24 ">26:24 Potential damage with inline style tags.
• 32:45 ">32:45 Looping vulnerabilities.
• 36:32 ">36:32 What about JavaScript injection?
• 37:09 ">37:09 Myspace Samy Worm.
• Myspace Samy Worm Wiki
  
• Sentry.io Security Policy Reporting
  
• 42:02 ">42:02 Does a CSP stop code from running in the console?
• 43:28 ">43:28 What are some general security best practices?
• 46:35 ">46:35 Strategies for rolling out a CSP.
• 51:49 ">51:49 Final tip, Strict Dynamic.
• Strict Dynamic
  
• 56:36 ">56:36 Where does the CSP live within Stripe?
• Original Black Friday story
  
• 59:35 ">59:35 One last story.
• 01:01:20 ">01:01:20 Sick Picks + Shameless Plugs

Sick Picks + Shameless Plugs

• Alex: Wes Bos’ Instagram
  

Hit us up on Socials!

Syntax: X Instagram Tiktok LinkedIn Threads

Wes: X Instagram Tiktok LinkedIn Threads

Scott:X Instagram Tiktok LinkedIn Threads

Randy: X Instagram YouTube Threads