731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton
Syntax - Tasty Web Development Treats16 Helmi 2024

731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton

Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy). Show Notes 00:00 Welcome to Syntax! 00:31 Brought to you by Sentry.io. 00:57 Who is Alex Sexton? 04:44 Stripe dashboard is a work of art. 05:08 Tell us about the design system. React Aria 08:59 Who develops the iOS app? 09:50 Stripe’s CSP (content security policy). 12:50 What even is a content security policy? Content Security Policy explanation 13:57 Douglas Crockford of Yahoo on security. Douglas on GitHub 15:13 Security philosophy. 16:59 What about inline styles and inline JavaScript? 19:41 How do we safely set inline styles from JS? 20:20 Setting up with meta tags. 22:52 What are common situations that require security exceptions? 26:24 Potential damage with inline style tags. 32:45 Looping vulnerabilities. 36:32 What about JavaScript injection? 37:09 Myspace Samy Worm. Myspace Samy Worm Wiki Sentry.io Security Policy Reporting 42:02 Does a CSP stop code from running in the console? 43:28 What are some general security best practices? 46:35 Strategies for rolling out a CSP. 51:49 Final tip, Strict Dynamic. Strict Dynamic 56:36 Where does the CSP live within Stripe? Original Black Friday story 59:35 One last story. 01:01:20 Sick Picks + Shameless Plugs Sick Picks + Shameless Plugs Alex: Wes Bos’ Instagram Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott:X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads

Jaksot(985)

985: Stop putting secrets in .env

985: Stop putting secrets in .env

Scott and Wes are joined by Phil Miller and Theo Ephraim to talk about Varlock, a new approach to environment variables that adds schemas, validation, and security to the humble .env file. They dig in...

9 Maalis 47min

984: How to Make a DOM Library Render Anything w/ Paolo Ricciuti

984: How to Make a DOM Library Render Anything w/ Paolo Ricciuti

Wes and Scott talk with Paolo Ricciuti about Svelte custom renderers and how Svelte actually talks to the DOM. They dig into compiler internals, CSS handling, native bridges, and the realities of main...

4 Maalis 49min

983: Why I Chose Electron Over Native (And I’d Do It Again)

983: Why I Chose Electron Over Native (And I’d Do It Again)

Wes and Scott talk about building v_framer, Scott’s custom multi-source video recording app, and why Electron beat Tauri and native APIs for the job. They dig into MKV vs WebM, crash-proof recording, ...

2 Maalis 37min

982: Bots Are Ruining the Internet

982: Bots Are Ruining the Internet

Wes and Scott talk about the latest dev news: Node enabling Temporal by default, OpenAI acquiring OpenClaw, TypeScript 6, new TanStack and Deno releases, the explosion of AI agent platforms, and more....

25 Helmi 49min

981: Browsers Are Finally Catching Up (Interop 2026)

981: Browsers Are Finally Catching Up (Interop 2026)

Scott and Wes unpack Interop 2026 and the browser features finally aligning across engines, from container style queries and anchor positioning to scroll-driven animations and view transitions. They b...

23 Helmi 51min

980: AI Coding Explained

980: AI Coding Explained

Wes and Scott talk about the state of AI coding in 2026—from editors and models to agents, skills, slash commands, MCPs, and more. They unpack what these things actually do, how they overlap, and how ...

18 Helmi 52min

979: WebMCP: New Standard to Expose Your Apps to AI

979: WebMCP: New Standard to Expose Your Apps to AI

Scott and Wes unpack WebMCP, a new standard that lets AI interact with websites through structured tools instead of slow, bot-style clicking. They demo it, debate imperative vs declarative APIs, and s...

16 Helmi 16min

978: Should A New Coder Use AI?

978: Should A New Coder Use AI?

Wes and Scott answer your questions about AI agents, learning to code with AI, pagination patterns, skilling up from outdated tech stacks, balancing side projects with family life, real-world hacking ...

11 Helmi 1h 2min

Suosittua kategoriassa Politiikka ja uutiset

uutiscast
aikalisa
rss-ootsa-kuullut-tasta
politiikan-puskaradio
ootsa-kuullut-tasta-2
tervo-halme
viisupodi
rss-podme-livebox
rss-asiastudio
rikosmyytit
the-ulkopolitist
et-sa-noin-voi-sanoo-esittaa
otetaan-yhdet
radio-antro
rss-sanna-ukkola-show-verkkouutiset
io-techin-tekniikkapodcast
aihe
rss-tasta-on-kyse-ivan-puopolo-verkkouutiset
rss-kyselytunti
rss-tekkipodi