Can I make someone else's tweet my pinned tweet?.

RT @DanielNewns: It’s time for @LaravelLiveUK ! Don’t forget to come by and say hello to the @jumptwenty4 team! Cast your vote on the reall….

RT @DanielNewns: The #marmite and #vegemite beef is real! Great slide by @Caneco if you’re at the @LaravelLiveUK event today then come and….

Take a look at Learn Privacy at for how to set up CSPRO on your sites so you can help protect your users' privacy. And if you like that and want me to write things for you, get in touch! #stuartwriting 6/6.

Most of the time, the way you use the sites you build isn't the way that your actual users do. What CSPRO does for you is give you quiet feedback on what your users are experiencing: if your pages load loads of extra JS and pass back user info, you'll know. #stuartwriting 5/6.

What this means is that if you set up CSPRO on your page, you get a free audit of what all your third-party resources are loading. Do they pull in extra JS? Are they loading a million extra URLs? Do they pass back info about your users? Now you get to see that! #stuartwriting 4/6.

But there's a little-known extra to CSP: the Content-Security-Policy-Report-Only header. With this, if anything on your site tries to load a resource you didn't expect, it won't be denied, but it *will* tell *you* about it with a web hook. #stuartwriting 3/6.

The Content Security Policy stuff (called "CSP") in browsers is rather a pain to set up. It's useful for security: basically, you can say "this page is allowed to load X, Y, and Z", and if the page tries to load anything else, it'll be denied. #stuartwriting 2/6.

A #WebPrivacy tip. Most web pages use third-party stuff somehow; web fonts, images, videos, JavaScript. It can be useful (and eye-opening for you, the page developer) to see what these things actually do. Do you know about Content-Security-Policy-Report-Only? #stuartwriting 1/6.

To know more about the facade pattern and other ways of using third party stuff without compromising your users' privacy as much, check out Learn Privacy at And if you like that and want me to write things for you, get in touch! #stuartwriting 4/4.

You can make the "facade" look as much like the actual embedded thing as you want. Most sites that you might want to embed from -- YouTube, TikTok, Twitter -- support oEmbed so you can fetch a machine-readable version of the embedded thing #stuartwriting 3/4.

There are a bunch of ways to do this, but the one we're talking about today is called the "facade pattern". Basically, you display something which looks enticing in your page, which when clicked on loads the embedded thing: the video or similar. #stuartwriting 2/4.

A #WebPrivacy tip. When you embed a resource from somewhere else on your website -- a video, a tweet, an image, whatever -- you're also aiding the source of that info to track your users around the internet. It's your job to help avoid that. #stuartwriting 1/4.

To learn more about fingerprinting, why it's bad for user privacy, and what you can do as a developer, check out Learn Privacy at And if you like that and want me to write things for you, get in touch! #stuartwriting 5/5.

In practice, most developers and most businesses have no need to fingerprint users. If you make people sign in then they identify themselves to you with consent, and in a way they can unilaterally opt out of at any time they choose. This protects their privacy. #stuartwriting 4/5.

Browser vendors know that users do not like being tracked, and are continually implementing features to limit fingerprinting. Active fingerprinting techniques are harder because browsers pop up confirmation dialogs: this stops the fingerprinting being covert! #stuartwriting 3/5.

One way to think about fingerprinting is as active vs passive. A passive fingerprinting technique is one which uses information that is given to the website by default; an active technique is one which explicitly interrogates the browser for extra information. #stuartwriting 2/5.

A #WebPrivacy tip. Fingerprinting is the act of trying to covertly identify a user or distinguish one user from another by reading stuff about their setup. Web sites and web browsers can do this, and your job as a developer is to protect your users from it. #stuartwriting 1/5.

To get all the detail of how modern browsers use the user agent, check out Learn Privacy at And if you like that and want me to write things for you, get in touch! #stuartwriting 4/4.

However, the user agent is now mostly frozen in all modern browsers. You can still, normally, get a version number, and which browser you're in, but that's basically all. This protects people's privacy, because it's none of your business which browser I use. #stuartwriting 3/4.

The User-Agent header is an incomprehensible melange of techie info, historical accidents, and lies. It used to look something like this:. Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15. #stuartwriting 2/4.