250: Web Security with April King and Alex Sexton

We’re talking web security with a couple of web security experts – April King and Alex Sexton. We talk through the ways your site can get attacked and then cover the key things you can do to protect yourself from the majority of attacks.

Jump to a discussion on…

• 5:30 Who picked the scores for the Mozilla observatory test suite?
• 7:20 Are these attacks a back end problem or a front end problem?
• 9:01 What is HTTPS and why do I need it?
• 13:30 It’s pretty safe to assume at least somebody is listening to your traffic
• 16:30 Why wouldn’t a site use HTTPS everywhere?
• 17:35 Should I use it for my blog?
• 26:35 What’s XSS?
• 29:50 How do I stop XSS attacks?
• 34:50 How do you set CSP?
• 44:20 Inline stylesheets as an anti-pattern.
• 50:00 What’s CSRF?
• 53:00 What’s CORS?
• 55:40 What’s sub-resource integrity?
• 1:02:00 What happens if my site gets an F from Mozilla observatory?
• 1:07:30 How long does it take to secure my site and how do I know I did it right?
• 1:12:10 What tools do I use to test my site?

Links

• April King on Twitter
• Alex Sexton on Twitter / Alex on Github
• securethe.news
• Mozilla Observatory
• enable-cors.org
• hstspreload.org
• Report-uri
• SSL Labs
• Let’s Encrypt
• Cloudflare

Sponsors

An Event Apart * 17:31

You should come to An Event Apart! Six shows this year, all around the U.S. Chris will be speaking at most of them and giving a workshop at a few of them.

• April 3-5 Seattle
• May 15-17 Boston
• July 10-12 Washington DC
• August 28-30 Chicago
• October 30-November 1 San Francisco
• Denver 11-13 Denver

CodePen PRO 1:00:45

CodePen PRO unlocks Collab Code which allows you to do Google Doc like collaborative sharing of the code you’re writing. One way you can use it: interviewing potential front-end hires!

Job Mention

• ShopTalk Show Job Board

Episode source