Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).

Show Notes

• 00:00 Welcome to Syntax!
• 00:31 Brought to you by Sentry.io.
• 00:57 Who is Alex Sexton?
• 04:44 Stripe dashboard is a work of art.
• 05:08 Tell us about the design system.
• React Aria

08:59 Who develops the iOS app?

09:50 Stripe’s CSP (content security policy).

12:50 What even is a content security policy?

Content Security Policy explanation

13:57 Douglas Crockford of Yahoo on security.

Douglas on GitHub

15:13 Security philosophy.

16:59 What about inline styles and inline JavaScript?

19:41 How do we safely set inline styles from JS?

20:20 Setting up with meta tags.

22:52 What are common situations that require security exceptions?

26:24 Potential damage with inline style tags.

32:45 Looping vulnerabilities.

36:32 What about JavaScript injection?

37:09 Myspace Samy Worm.

Myspace Samy Worm Wiki

Sentry.io Security Policy Reporting

42:02 Does a CSP stop code from running in the console?

43:28 What are some general security best practices?

46:35 Strategies for rolling out a CSP.

51:49 Final tip, Strict Dynamic.

Strict Dynamic

56:36 Where does the CSP live within Stripe?

Original Black Friday story

59:35 One last story.

01:01:20 Sick Picks + Shameless Plugs

Sick Picks + Shameless Plugs

• Alex: Wes Bos’ Instagram

Hit us up on Socials!

Syntax: X Instagram Tiktok LinkedIn Threads

Wes: X Instagram Tiktok LinkedIn Threads

Scott:X Instagram Tiktok LinkedIn Threads

Randy: X Instagram YouTube Threads