Articles

Understanding CSRF Attacks

I went about researching web security recently as I was writing Understanding Asynchronous JavaScript — I wanted to make sure my recommendations were secure and I’m not doing any of my students a disservice with my recommendations.

Unfortunately, articles in the security space were pretty hard to understand. There were many words that trigger lots of fear, uncertainty, and doubt in the articles. I get emotionally panicky when I read these articles — and I worry I may end up doing something wrong — even though the intention of these articles was good!

Many articles also don’t disclose full details CSRF, how to set up a CSRF Attack, and how to prevent a CSRF Attack, which leaves me doubtful about what I learned. I end up having to figure things out on my own.

I want to make it easier for you to understand CSRF, so I took a stab at writing an article with complete (and step-by-step) information about CSRF Attacks. I hope this article gives you the clarity and confidence you need to build secure web applications.

A library to make localStorage easier to use

One of the problems with localStorage is it takes in only string values. If you want to save an object, you have to convert it into JSON with JSON.stringify.

When you retrieve objects from localStorage, you need to convert the JSON value back into JavaScript with JSON.parse

How to find a tag id in Convertkit

Finding a tag ID in convertkit is simple. You don’t need to use the API. Using the API is a roundabout way if you want to find a specific tag ID.

Here are the steps:

1. Click the tag in Convertkit
2. Look at the URL.
3. Find the subscribable_ids parameter

Here’s an example:

https://app.convertkit.com/subscribers?subscribable_ids=3061839&subscribable_type=tag

In this case, the tag ID is 3061839.

Don’t be ashamed of tutorial hell

Many people are trapped in tutorial hell — they hop from one tutorial to another, to another, to another, never building something on their own. And they’re ashamed of it.

Don’t be ashamed of tutorial hell.

New CSS Color syntax — rgb instead of rgba

If you want to support transparency in a CSS rgb or hsl function, there’s no need to write rgba or hsla anymore. You can simply write rgb or hsl with a / to indicate the alpha.

No need for commas too!

Getting a cookie’s expiry value on a server

Browsers handle cookie expiry so they don’t pass the cookie’s expiry value to the server. You have to make some adjustments if you want to get the cookie’s expiry value on the server.

There are two methods:

• You can create a cookie with a JSON value
• You can use another cookie to signify the expiry

Rsync with Github actions when using a a custom port

If you want to rsync with a custom port in a GitHub action, you need to do three steps:

1. Add the port to as a secret
2. Add the port to known_hosts file
3. Perform the rsync action

Rsync with a custom port

You can rsync with a different port by adding -e "ssh --port" into the rsync command.

Why I stopped using Operator Mono

I bought Operator Mono two years ago. If you don’t know, Operator Mono is this fancy code font that was in the rage back then.

It’s nice. It has a unique serif feel to it. And it has real italics on a code font. Real italics

It’s pricey too — it costs $200. It took me a long time to contemplate and I finally bought it.

Fast forward two years, I decided to stop using Operator Mono and switch back to a free font.

Using async/await in Express

Have you noticed you write a lot of asynchronous code in Express request handlers? This is normal because you need to communicate with the database, the file system, and other APIs.

When you have so much asynchronous code, it helps to use async/await. It makes your code easier to understand.

Today, I want to share how to use async/await in an Express request handler.