Skip to content

Instantly share code, notes, and snippets.

title published description tags cover_image
Mitigating cross-site scripting with Content Security Policy
Learn how to use Content Security policy to defend your site against cross-site scripting attacks
security, xss, javascript

In this post, we're going to look at using Content Security Policy (CSP) as a defense-in-depth technique to block script injection attacks.

title published description tags cover_image
Inspecting .NET application state with SOS
Learn how to use the Windows Debugger to inspect application state from a .NET process dump
.net, windbg, csharp, debugging

In this post, we'll cover how to use the SOS debugging tools to inspect variables from a process dump of a .NET Framework / .NET Core application.


OAuth 2 Bearer Tokens

Current design:

  • Based on OAuth 1.0a with a central authority
  • Access token / secret generated by central authority, used in combination with consumer token / secret
  • Client creates OAuth header from consumer token/secret and access token/secret. HMAC-SHA1 or PLAINTEXT signatures used
  • Each web service makes a call to central authority to get current user information based on OAuth header

Problem A - Increased latency:

  • Service A needs to verify OAuth header
dustinsoftware / client.cs
Last active Jul 18, 2018
HttpClient headers repro
View client.cs
using System;
using System.Linq;
using System.Net.Http;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
namespace HttpClientTest
class Program

At Faithlife, we've been using OAuth 1.0a to handle authentication between services. Instead of designing our apps as monoliths, we've been perferring to build lightweight frontend applications that call RESTful microservices, returning entities as JSON. These frontend applications don't touch our databases directly. Among other benefits, this allows us to better allocate hardware resources (CPU, RAM, disk) to applications that need them.

A typical request to Faithlife might look something like this:

![mermaid sequenceDiagram participant Frontend participant Accounts participant Community Newsfeed participant Amber API


Early draft, please don't publish until the performance improvements are merged and shipped.

React 16.5 recently shipped, which added support for some new Profiling tools. We recently used these tools to identify a major source of slow render performance. is a web application powered by React 16.3. The homepage consists of a reverse-chronological timeline of posts. We received some reports that interactions with posts (such as replying) caused the browser to lag, depending on how far down the post was on the page. The further down the page the post was, the more lag occurred.

After updating React to 16.5 on a local copy of Faithlife, our next step was to start profiling and capture what components were re-rendering. Below is a screenshot of what the tools showed us clicking the 'Like' button on any post:


Keybase proof

I hereby claim:

To claim this, I am signing this object:

View iot-light.cs
using System;
using System.Linq;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.Threading;
namespace udptest
class Program


Build hacks: Faster Ember builds with Docker on Windows

When I joined a team maintaining an Ember web app, I was surprised to learn that almost the whole team developed exclusively on MacBooks. The team experienced slow Ember builds on Windows, and dealing with native Node dependencies (such as node-gyp) was a frustrating experience. Microsoft has made some recent improvements to support Node-based development environments on Windows, so I set out to see what we could do to make this better.

Note: WSL2 has been announced, which resolves many of the performance pains we experienced. This post should still be relevant for those wanting to use Docker as a development container.

Just show me the code!

A working demo of the Docker setup is available on GitHub. We'll link to it throughout this article.

You can’t perform that action at this time.