731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton
Feb 16, 2024•1 hr 3 min
Episode description
Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).
Show Notes 00:00 Welcome to Syntax!
00:31 Brought to you by Sentry.io.
00:57 Who is Alex Sexton?
04:44 Stripe dashboard is a work of art.
05:08 Tell us about the design system.
React Aria
08:59 Who develops the iOS app?
09:50 Stripe’s CSP (content security policy).
12:50 What even is a content security policy?
Content Security Policy explanation
13:57 Douglas Crockford of Yahoo on security.
Douglas on GitHub
15:13 Security philosophy.
16:59 What about inline styles and inline JavaScript?
19:41 How do we safely set inline styles from JS?
20:20 Setting up with meta tags.
22:52 What are common situations that require security exceptions?
26:24 Potential damage with inline style tags.
32:45 Looping vulnerabilities.
36:32 What about JavaScript injection?
37:09 Myspace Samy Worm.
Myspace Samy Worm Wiki
Sentry.io Security Policy Reporting
42:02 Does a CSP stop code from running in the console?
43:28 What are some general security best practices?
46:35 Strategies for rolling out a CSP.
51:49 Final tip, Strict Dynamic.
Strict Dynamic
56:36 Where does the CSP live within Stripe?
Original Black Friday story
59:35 One last story.
01:01:20 Sick Picks + Shameless Plugs
Sick Picks + Shameless Plugs Alex: Wes Bos’ Instagram
Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads
Wes: X Instagram Tiktok LinkedIn Threads
Scott:X Instagram Tiktok LinkedIn Threads
Randy: X Instagram YouTube Threads
For the best experience, listen in Metacast app for iOS or Android
Open in Metacast