February 16th, 2024 × #security#javascript#css
Client side security, XSS attacks & CSP with Stripe’s Alex Sexton
Alex Sexton from Stripe discusses CSP (Content Security Policy) and client side security best practices, drawing on 11 years of experience at Stripe.
Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).
Show Notes
- 00:00 Welcome to Syntax!
- 00:31 Brought to you by Sentry.io.
- 00:57 Who is Alex Sexton?
- 04:44 Stripe dashboard is a work of art.
- 05:08 Tell us about the design system.
- React Aria
- 08:59 Who develops the iOS app?
- 09:50 Stripe's CSP (content security policy).
- 12:50 What even is a content security policy?
- Content Security Policy explanation
- 13:57 Douglas Crockford of Yahoo on security.
- Douglas on GitHub
- 15:13 Security philosophy.
- 16:59 What about inline styles and inline JavaScript?
- 19:41 How do we safely set inline styles from JS?
- 20:20 Setting up with meta tags.
- 22:52 What are common situations that require security exceptions?
- 26:24 Potential damage with inline style tags.
- 32:45 Looping vulnerabilities.
- 36:32 What about JavaScript injection?
- 37:09 Myspace Samy Worm.
- Myspace Samy Worm Wiki
- Sentry.io Security Policy Reporting
- 42:02 Does a CSP stop code from running in the console?
- 43:28 What are some general security best practices?
- 46:35 Strategies for rolling out a CSP.
- 51:49 Final tip, Strict Dynamic.
- Strict Dynamic
- 56:36 Where does the CSP live within Stripe?
- Original Black Friday story
- 59:35 One last story.
- 01:01:20 Sick Picks + Shameless Plugs
Sick Picks + Shameless Plugs
- Alex: Wes Bos' Instagram
Hit us up on Socials!
Syntax: X Instagram Tiktok LinkedIn Threads
Wes: X Instagram Tiktok LinkedIn Threads