Syntax - Tasty Web Development Treats

731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton

Feb 16, 2024

01:03:12

Snipd AI

Alex Sexton, security expert at Stripe, joins Syntax to cover client security, XSS attacks, and content security policy (CSP). They discuss the design system at Stripe, common security vulnerabilities, the MySpace Samy Worm, and best practices for securing websites.

AI Summary

Highlights

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Implementing Content Security Policy (CSP) from the beginning of website development is crucial for maintaining security.

When rolling out Content Security Policy (CSP) for an existing website, developers should start by creating a policy that they believe is good and incrementally add locked-down directives based on identified needs and vulnerabilities.

Common challenges in implementing Content Security Policy (CSP) can be addressed by using strategies such as avoiding inline scripts, parsing JSON from hidden elements, and prioritizing hashes over nonces.

Deep dives

Importance of Implementing Content Security Policy

Implementing Content Security Policy (CSP) from the beginning of website development is crucial for maintaining security. Starting with a lockdown CSP and gradually adding necessary allowances ensures a stronger security posture. Incremental implementation is possible through the use of the 'Content Security Policy Report Only' header, which reports violations without blocking them. Additionally, developers should lock down default sources, qualify URLs for requests, and consider optimizing for hashed scripts rather than using nonces. These practices help create a more secure web application environment.

Enhancing Link Styling with Computational Tricks

00:55

Implementing CSP and Client Side Security Best Practices

01:28

Layered Security for Web Development

00:53

Introduction

3min

Working on Stripe Js Versions and Internationalization

6min

Collaboration between Design Systems and iOS teams

26min

Discussing Allowed Domains and Security Measures

2min

Discussion on JavaScript injection and the MySpace worm

2min

Risks of Running Arbitrary Code on Websites

23min

Sick Picks and Shameless Plugs

2min

Scott and Wes are joined by security expert, Alex Sexton of Stripe to cover all things: client security, XSS, attack vectors, and CSP (content security policy).

Show Notes

00:00 Welcome to Syntax!
00:31 Brought to you by Sentry.io.
00:57 Who is Alex Sexton?
04:44 Stripe dashboard is a work of art.
05:08 Tell us about the design system.
React Aria
08:59 Who develops the iOS app?
09:50 Stripe’s CSP (content security policy).
12:50 What even is a content security policy?
Content Security Policy explanation
13:57 Douglas Crockford of Yahoo on security.
Douglas on GitHub
15:13 Security philosophy.
16:59 What about inline styles and inline JavaScript?
19:41 How do we safely set inline styles from JS?
20:20 Setting up with meta tags.
22:52 What are common situations that require security exceptions?
26:24 Potential damage with inline style tags.
32:45 Looping vulnerabilities.
36:32 What about JavaScript injection?
37:09 Myspace Samy Worm.
Myspace Samy Worm Wiki
Sentry.io Security Policy Reporting
42:02 Does a CSP stop code from running in the console?
43:28 What are some general security best practices?
46:35 Strategies for rolling out a CSP.
51:49 Final tip, Strict Dynamic.
Strict Dynamic
56:36 Where does the CSP live within Stripe?
Original Black Friday story
59:35 One last story.
01:01:20 Sick Picks + Shameless Plugs

Sick Picks + Shameless Plugs

Alex: Wes Bos’ Instagram

Hit us up on Socials!

Syntax: X Instagram Tiktok LinkedIn Threads

Wes: X Instagram Tiktok LinkedIn Threads

Scott:X Instagram Tiktok LinkedIn Threads

Randy: X Instagram YouTube Threads

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Syntax - Tasty Web Development Treats

731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Importance of Implementing Content Security Policy

Strategies for Rolling Out CSP

Addressing Common Challenges in CSP Implementation

The Dangers of Content Security Policy (CSP)

Threat Models and Mitigating Risks

Enhancing Link Styling with Computational Tricks

Implementing CSP and Client Side Security Best Practices

Layered Security for Web Development

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Syntax - Tasty Web Development Treats

731: Client side security, XSS attacks & CSP with Stripe’s Alex Sexton

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Importance of Implementing Content Security Policy

Strategies for Rolling Out CSP

Addressing Common Challenges in CSP Implementation

The Dangers of Content Security Policy (CSP)

Threat Models and Mitigating Risks

Enhancing Link Styling with Computational Tricks

Implementing CSP and Client Side Security Best Practices

Layered Security for Web Development

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights