Mettez-vous hors ligne avec l'application Player FM !
731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton
Manage episode 401279278 series 1469447
Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).
Show Notes- 00:00 Welcome to Syntax!
- 00:31 Brought to you by Sentry.io.
- 00:57 Who is Alex Sexton?
- 04:44 Stripe dashboard is a work of art.
- 05:08 Tell us about the design system.
- React Aria
- 08:59 Who develops the iOS app?
- 09:50 Stripe’s CSP (content security policy).
- 12:50 What even is a content security policy?
- Content Security Policy explanation
- 13:57 Douglas Crockford of Yahoo on security.
- Douglas on GitHub
- 15:13 Security philosophy.
- 16:59 What about inline styles and inline JavaScript?
- 19:41 How do we safely set inline styles from JS?
- 20:20 Setting up with meta tags.
- 22:52 What are common situations that require security exceptions?
- 26:24 Potential damage with inline style tags.
- 32:45 Looping vulnerabilities.
- 36:32 What about JavaScript injection?
- 37:09 Myspace Samy Worm.
- Myspace Samy Worm Wiki
- Sentry.io Security Policy Reporting
- 42:02 Does a CSP stop code from running in the console?
- 43:28 What are some general security best practices?
- 46:35 Strategies for rolling out a CSP.
- 51:49 Final tip, Strict Dynamic.
- Strict Dynamic
- 56:36 Where does the CSP live within Stripe?
- Original Black Friday story
- 59:35 One last story.
- 01:01:20 Sick Picks + Shameless Plugs
- Alex: Wes Bos’ Instagram
Syntax: X Instagram Tiktok LinkedIn Threads
Wes: X Instagram Tiktok LinkedIn Threads
778 episodes
Manage episode 401279278 series 1469447
Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).
Show Notes- 00:00 Welcome to Syntax!
- 00:31 Brought to you by Sentry.io.
- 00:57 Who is Alex Sexton?
- 04:44 Stripe dashboard is a work of art.
- 05:08 Tell us about the design system.
- React Aria
- 08:59 Who develops the iOS app?
- 09:50 Stripe’s CSP (content security policy).
- 12:50 What even is a content security policy?
- Content Security Policy explanation
- 13:57 Douglas Crockford of Yahoo on security.
- Douglas on GitHub
- 15:13 Security philosophy.
- 16:59 What about inline styles and inline JavaScript?
- 19:41 How do we safely set inline styles from JS?
- 20:20 Setting up with meta tags.
- 22:52 What are common situations that require security exceptions?
- 26:24 Potential damage with inline style tags.
- 32:45 Looping vulnerabilities.
- 36:32 What about JavaScript injection?
- 37:09 Myspace Samy Worm.
- Myspace Samy Worm Wiki
- Sentry.io Security Policy Reporting
- 42:02 Does a CSP stop code from running in the console?
- 43:28 What are some general security best practices?
- 46:35 Strategies for rolling out a CSP.
- 51:49 Final tip, Strict Dynamic.
- Strict Dynamic
- 56:36 Where does the CSP live within Stripe?
- Original Black Friday story
- 59:35 One last story.
- 01:01:20 Sick Picks + Shameless Plugs
- Alex: Wes Bos’ Instagram
Syntax: X Instagram Tiktok LinkedIn Threads
Wes: X Instagram Tiktok LinkedIn Threads
778 episodes
Tous les épisodes
×Bienvenue sur Lecteur FM!
Lecteur FM recherche sur Internet des podcasts de haute qualité que vous pourrez apprécier dès maintenant. C'est la meilleure application de podcast et fonctionne sur Android, iPhone et le Web. Inscrivez-vous pour synchroniser les abonnements sur tous les appareils.