curl -I https://shift.newco.co/how-a-single-conversation-with-my-boss-changed-my-view-on-delegation-and-failure-ae5376451c8d
HTTP/1.1 409 Conflict

Error 409:

The request could not be completed due to a conflict with the current state of the target resource. This code is used in situations where the user might be able to resolve the conflict and resubmit the request.

The server SHOULD generate a payload that includes enough information for a user to recognize the source of the conflict.

Conflicts are most likely to occur in response to a PUT request. For example, if versioning were being used and the representation being PUT included changes to a resource that conflict with those made by an earlier (third-party) request, the origin server might use a 409 response to indicate that it can't complete the request. In this case, the response representation would likely contain information useful for merging the differences based on the revision history.

I have no clue why this code is being shown, but please fix this, dear developers.

Here’s another example from LinkedIn posts:

curl -I https://www.linkedin.com/pulse/why-should-employers-care-families-rose-marcario

HTTP/1.1 999 Request denied

Yes, this is clearly a good idea. You see what Status Code 999 is? Don’t do that!

A week ago I received my first harassment tweet by a politically differently oriented person. In Germany, the content of the tweet might already fulfill some elements of an legal offence.

To take action on this, I did what Twitter suggests: I reported the profile that contained a lot more similar tweets of some were way worse to Twitter. I reported it as a matter of my personal security being affected, as, again, suggested.

Six hours later I got an automated email that the case has been reviewed:

Thank you for reporting this issue to us. Our goal is to create a safe environment for everyone on Twitter to express themselves freely.

We reviewed your report carefully and found that there was no violation of Twitter’s Rules regarding abusive behavior (https://twitter.com/rules).

Over the last year I’ve heard similar stories from various persons and many of them suffered from much worse harassment. But naturally you don’t care too much until you experience this in some way on your own.

To make a sign, I today set both my Twitter accounts to private, effectively limiting my audience to my approved followers. Additionally, I decided to not tweet much myself anymore from now on. This is an experiment but I’ll try.

I don’t want to support a service that does not even try to limit harassment.

You can contact me always via email, via Signal, Threema.

You need a Email certificate by an authority

Of course you could create a certificate yourself but then no one would trust this manually so it’d be useless. However, there are a very few providers that offer S/MIME certificates. Most are expensive, one is free: startssl.com. I’ll be honest, I don’t like them too much but it’s free and does its job.

Sign up with your email address that you want the certificate for. Then you’ll need to request a free email (S/MIME) certificate from your dashboard.

When it goes to creating a certificate, the best option to create the certificate yourself. I’m going to quickly describe how to do this on a Mac:

Create Certificate Request in macOS Sierra

Go to your Keychain Access.app and from the menu choose “Certificate Assistant”. Then, continue with “Request a Certificate From a Certificate Authority…”.

You’ll now see a wizard asking you to enter your email address (that you want to use for signing and encrypting), a common name and what to do with the request.

Choose “Saved to Disk” here and save the Signing Request to your filesystem.

Request Certificates

Now go back to your StartSSL dashboard and continue there with the wizard. You can now enter the content of your Signing Request file (just copy and paste it) into a text area. Finally, you can now request the certificates and download them.

Import the Certificate on macOS

The downloaded bundle contains the certificate that you can now import into your keychain by double clicking on it. Use the .crt file that has the email address in its file name.

Use it in Mail.app

Mail.app will automatically discover the certificate and will display you a lock and a sign-icon in the “Write new Email” window. This is for S/MIME encryption and should be checked on if you like to send your signature or encrypt the email.

If you have a contact sending you an email with a valid S/MIME signature, Mail will recognize it and from then on will be able to encrypt messages between you both.

Export the Certificate for iOS

If we want to use the certificate on iOS as well, we need to export it. Therefore, in your keychain app, do a right click on the certificate and choose export. Follow the wizard to export the certificate as .p12 file.

Now transfer this .p12 file to your iPhone using Mail or AirDrop. You can open this file on the iPhone and will be asked if you want to import the certificate. Enter your credentials and add this certificate to iOS.

Finally, after importing the certificate to iOS, you can now go to your Settings -> Mail -> [Your Account] -> IMAP -> Advanced -> Use S/MIME -> Check on “Sign by default” or “Encrypt by default” as you prefer.

Now you can sign your emails. If you want to encrypt emails with others, you need to get an email with a valid signature from the other person. Then, tap on the signature and install it on your phone. Unfortunately and unlike on macOS, iOS doesn’t auto-import these signatures for you.

Hope this guide helped you setting up S/MIME on your Apple systems.

After four in terms of acceptance successful years, my project is still constantly under-funded. Now if you take into account that I spend many hours each week on writing a summary for thousands of readers and therefore, as a freelancer, am investing real money into running this, there’s a real risk that at some point I will loose interest in the project as I’m working for free here.

A few years ago, when Šime Vidas decided to change his webplatformdaily.org project to a subscription-only model to access content, I talked to several very much known people in the front-end community. Most were very sad, some even upset that this great resource wasn’t available publicly anymore. They suggested to search for some sponsors instead or show ads.

But what they don’t take into account here: Searching for sponsors, handling sponsorship deals is an effort, too. That means increased work for a business model that could fail from one month to another. You never know if you find a good sponsor next time. Lastly, all these sponsorship deals don’t cover that much money and require analytics and statistics to be sent over to the sponsor. Most sponsors even require you to place prominent links into the resource itself or even exclusive ad-newsletters. This is unacceptable for a publication that wants to be independent and doesn’t want to collect any user tracking data.

I take donations by readers to fund WDRL. Sadly, my average donator count is stuck at around 35 individuals. This means, that about 0.0021% of my subscribers actually support the project with their money. I’m deeply thankful to each individual who gives a little bit of their money to support the content they love to read. ❤️

If we don’t want to loose projects we love, we need to support them with direct money. —Anselm

Many of us in the web development industry indirectly live of Peter Thiel’s money. We use Facebook, we use PayPal, we use Salesforce, we use Asana, Stripe, OpenTable, Kickstarter, Lyft, Spotify or any other service, backed by Peter Thiel’s Venture Capital.

“I know this sounds bad but it’s the reality. 😕 Venture Capital is not just "great", it has consequences.”

Of course not all of these companies is necessarily doing bad things or supports Donald Trump directly. But they’ve taken the VC from a big investor to Donald Trump, and we all know that the one with the money also makes the rules. With taking VC you accept to comply with these rules and ultimately, if you succeed with the company support your VC-backer by giving him back the money multiple times.

As a logical conclusion, if you work for a company taking VC from Peter Thiel, you indirectly work for his fortune. If you buy or use a product from such company, you also support him. If you spread the love for such services, you support him. This sounds very harsh but sadly, that’s the reality.

But it’s on us to make the right decisions. We need to set our standards for ethics ourselves. You shouldn’t blame the government or other persons if someone like Trump succeeds (insert UK’s tories or Germany’s AFD party here). If your own ethics aren’t supporting those who actively fight against this kind of investments, against corruption and tax avoidance, you take part on the success of those people who play unfair.

But I don’t want to blame you. I want to blame me as well. Some decisions are easy to make, some are harder. My Web Development Reading List only accepts donations via PayPal—a company funded by Peter Thiel. I choose this because no other service worked as easy. And now you need to realize that Stripe is also funded by him. For some choices it’s harder to evade. But the first step is to realize that using this service isn’t great.

“We can create great web solutions without this money. It’s not even much harder. Just another mindset.”

Now as developers we are the ones responsible for web solutions. If we choose to use Facebook’s React.js framework for an application, we are responsible for the consequences. We indirectly support Facebook here, a company backed by … Peter Thiel. If we share how great Lyft or Spotify is, we spread the love for these services, indirectly giving the money to … Peter Thiel, Donald Trump.

“Before you choose a technology, make sure you and your client understands the ethical consequences.”

It’s unrealistic that we’re able to evade from this completely, but we can at least realize what and who we support here and acknowledge this. We can search for alternatives. We can tell our clients about this and try our best to not give users’ data to these services.

Last weekend I suffered from health issues, and it’s still not entirely away. I don’t know exactly what’s the matter but reflecting on the roots of this, I realized that something has been very wrong for quite some time now.

I claim to have an amazing life — being a web developer that is allowed to work remotely is a great opportunity. I managed to do a lot of fun things this year, going outside into nature, hiking, climbing, mountainbiking. All these days have been amazing but while I took a one or two days off here and there in combination with a weekend, I never took real vacation time.

Today I looked up in my calendar when was the last time that I hadn’t been working for longer than a few days: Last August, exactly one year ago. This made me realize how bad I am at taking holiday.

Working on usually 1-3 projects at a time makes it easier to take a few days off instead of two weeks. But the work alone isn’t the issue, it’s the things that happen in your life. There are weekends where family celebrations happen (that’s no recovery), there are weekends where you do sports (that’s no recovery for your body, only for your brain), and there are days and weeks where you need to manage with bureaucracy or similar stuff. While you take a day off for those things, they’re usually not relaxing. Yet, your body and mind from time to time needs to relax.

Relaxing is important. Doing nothing is important (I suck at that). Taking vacation regularly is important. Reflect how much you took care of your body over the last year more often…

Next week, right after the NightlyBuild I gladly leave for an entire month of vacation. I just decided to not take my Macbook with me and I’ll not work on anything during that time.

Why does The Evergreen List exist?

This additional list has been created so that people can find very important, all-time relevant content easier. You could also see this as the filter for the filtered weekly lists that only contains the most important links over time.

Does this list grow?

Yes, this list will grow over time as continuously very important articles will be referenced here. On the other hand, this list, as per definition, will grow very slow.

And from time to time it might happen that content from this list will be removed. This, for example, can happen if some content is not relevant anymore or better content for the same topic is available.

What else?

I have several more things on my list to improve the Web Development Reading List. First on my list now is to improve the search engine so that you can find old links better. But I also have already some ideas on how to make The Evergreen List better. It’ll just take some time.

Enjoy it!
— Anselm

CSS Modules takes a different approach. Instead of writing plain HTML, we need to write all of our markup in a JavaScript file, like index.js.

This is the first and main issue I have with the whole approach: We now shift CSS, a language that is somehow failsafe and its files (.css-files) which get some special treatment by the browser during a pageload, towards JavaScript. All that while we know that JavaScript is loaded and parsed in a completely different way by the browser and is not failsafe but, as I tend to say, ‘safe to fail’. The HTTP network and it’s companion HTTPS are designed to fetch HTML, CSS, JavaScript and other asset files separately. It’s designed for performance and now we take that and by serving CSS through JavaScript intentionally slow down the browser’s capability. And then, polluting the UI thread with so many operations through a single point, we complain about our browsers being slow.

You might argument now, that CSS Modules can do this in a pre-processor step and compile the generated classes and styles as HTML, CSS. While that is true, in that case you gained nothing. You will be forced to use generic, ‘unstyled’ HTML elements that do not easily inherit any styles, such as <div> or <span>. But even with such elements, CSS still has the global scoping as it was built that way. You cannot escape the cascade if you use .css files and HTML markup. You can only try to limit its behavior.

But let’s go on with a list of questions raised in the article as to what the technique can solve. In here lie the biggest problems in web development I see these days.

Have you ever been tempted by a lack of time or resources to simply write CSS as quickly as possible, without considering what else you might affect?

This is probably one of the worst statements to advertise a technique that I saw revently. This basically says: Don’t care what you do, you even do not need to understand the basics of web development. Use this technique and everything will be okay. And it’s okay because you have no time to do it properly. It’s like saying: Hey plumber, here’s the trick: You have no time? Then just use some duck tape to connect my toilet to the drain pipe. It’ll be okay.

Have you ever run across styles that you weren't entirely sure what they did or if they were even being used?

Here I fail to understand how CSS Modules should help. They don’t add any value. You can still write them and forget to remove, you still don’t need to document anything on them. In fact, if some part of it is missing, chances are even lower to retrace what a style had been thought for.

This approach is designed to fix the problem of the global scope in CSS. (…) With CSS Modules, and the concept of local scope by default, this problem is avoided. You're always forced to think about the consequences as you write styles.

No it’s not. Please read the specification on the cascade to understand how CSS works. You can’t fix it if you still use it. Imagine the cascade as something that is hard-wired into CSS. And it is so by purpose. If you tell me something about “fixing … the cascade” you have not understood CSS—defined as ‘Cascading Style Sheet’. The only way out would be Web Components with its very own Cascade Root.

In the projects I’ve done, I came around a lot of challenges. A lot of them had to do with the Cascade of stylesheets. And I acknowledge the fact, that this is hard to understand or that sometimes it’s not easy to find the proper solution. But overall, I think the Cascade with its feature to inherit things from parents is the biggest advantage of CSS.

In the 10 years I write front-end code, I once had to write code where I really wished to avoid the cascade. During that project, I thought a lot about the cascade—actually more than I ever did before and more than I wanted to. But I realized that the only type of project where one wants to avoid the cascade is a third party component that has needs to have its own style and is not injected in an iframe. That will be possible by using web components in the future.

For everything else, I can only advise: Learn the cascade, use it and write smarter CSS code that inherits as much as possible from its parents. Don’t shift away your responsibility as a developer.

The default setting for user’s sites is to ‘block’ Tor traffic and ask people to solve a Google Captcha. While this is not blocking access to a site in a traditional way for most people, it is indeed a complete block for many people using Tor. And that is because many people are not able to solve the Captcha. Me for example. I use the Firefox Strict Tracking protection (powered by the awesome Disconnect tracking list). That lists Google’s CDN data as tracking resource (because they do track people), preventing the Captcha to load completely. And if you use the Tor browser with that setting, all Cloudflare sites are suddenly not accessible anymore.

Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

When I read this statement, I immediately thought if that number can be true. It just seemed too high, mainly because I personally know a couple of Tor users (funnily, they’re not people working in tech, they just want their privacy ensured), using the network as their primary Internet access point to research things.

Soon after, the Tor project published a blog post with questions to Cloudflare regarding that numbers. And in that, they link to an Akamai (a competitor to Cloudflare) research [pptx-file] which measured that at least about 50% of Tor traffic is not malicious but valid traffic. If that would be true, it would mean that Cloudflare blocks traffic for 49% of users to prevent 49% of malicious traffic. Is that a valid trade-off? I doubt. I think Cloudflare could deal much better with that amount of malicious traffic than they do now. At least, Akamai says, that overall malicious traffic rates on Tor network are not higher than on normal HTTP/S networks. And if Akamai would be doing a bad job at filtering out malicious traffic, I don’t think they’d have so many big customers today. There is always a better solution than blocking specific networks.

Do you know that you can easily find out customers of the free Cloudflare plan? Visit one site using it, and look at the certificate. It contains many more customer domains as they all share one certificate. And while this is not per-se wrong and Cloudflare even says so when you sign up, since Let’s Encrypt is usable now, they could provide a free, unique certificate even for their free customers.

Read more about this topic in my articles here:

• Performance is King, but so is Ownership
• Choose Your Own HTTPS
• Interview on Web Security, HTTPS and Privacy for your Users

TEDx Munich

In November, I attended TEDx Munich and it was amazing. They achieved a great mix of speakers, very good diversity (speakers, attendees) and after a every two to three talks they had a short music act that somehow was related to their topic “hidden treasures”. They also achieved to talk about fundamental humanity issues, ethics, corruption without shifting the event into a “grumpy” direction. It was very inspiring and I learned a lot about how to set speakers in scene to make an event great. They also managed to raise funds from their sponsors to give 100 refugees tickets for the event (usually 100EUR each).

beyondtellerrand

“It looks like great events have a custom ‘signature’ — at Marc Thiele’s BTConf, it’s a DJ sampling tracks from the talks or a “traditional” Swedish kitchen set-up on stage at Malmö eCommerce Summit and Fronteers always highlights one design agency and gives them a platform to explain the process and how they work. I guess it’s really important to create at least one memorable thing that becomes a tradition and stick to it.”—Vitaly Friedman.

As in all the years I attended this event, the beyondtellerrand event in Düsseldorf in May 2015 was one of the best experiences. I think I love Marc Thiele’s events so much because he achieves such a great speaker/topic mix within a great atmosphere with so many little details done right. And the fact, that this conference does not only cover web development topics but goes beyond our industry in some talks, and the people I meet there make me love this conference so much. I agree on Vitaly Friedman here that having a custom signature is important.

Outside the Industry

I attended a few conference events outside of the web industry and, to be honest, we can be proud about our standard expectations. Even big, impactful events in other industries are often organized in a "unprofessional" way. Non working tech setups are common, speakers not being informed about anything, speakers not having an outline for their talk, people in the audience treating speakers like their pupils (like doctors, professors, etc giving “feedback” to a talk in the audience and just let speakers know what they did wrong to level out theirselves), food, registration, etc.

My baby: PUBKON

I made PUBKON 2015 happen (a publishing / InDesign event I’ve done for 5 years now) with my team of three organizers and it was a success, although I can see a clear difference between designers/publishers and web development and its interest in attending events. The hardest struggle for us besides selling enought tickets was to find new content and new speakers for the event as it’s in German language and a 2-track conference featuring 20 speakers but somehow we managed to find new people (Call for Papers, hours of research). We also managed to get more diversity in our speaker line-up but it still was not ideal (of 20 speakers we had only 5 women, no other ethnical type than Germans), but our audience again had about 50/50 men/women share which was amazing. In 2015, we concluded the event series and decided to not do it again in the near future. I’m quite happy and sad at the same time about this. Happy because I think it was the right time to do so after four successful events and I think events do not need to stay around forever. Sad because it’s a huge part of my spare time I invested into this and the main reason for not doing it again was that each year we massively struggled to sell enough tickets to not loose money with the event despite the fact that no one of us was earning money for the work on it. Thanks for all who were involved into the events so far, thanks so much for all the attendees who loved the event and I hope to meet at least some of you again somewhere else. Cheers!

My baby No. 2: NightlyBuild

I made NightlyBuild 2015 happen with my team of five and it was a huge success. We had three out of four talks held by women, had a strong topic focus on “work efficient, live your life” and got rewarded for that by the attendees. I learned a lot on organizing low-budget events (tickets are 49EUR) and from what people said, it’s possible to make it a great experience.
One thing that bothers me: We wanted to support people who can’t afford tickets by giving them even cheaper ones (25EUR). For that they should simply send us a reason why they need it. We wanted to give away 10-15 tickets but got only three applications and one of them actually purchased his granted ticket finally. I was very disappointed to see that as I believe there are many people (students, jobless people) who would’ve profited from that. So if anyone knows how to improve this, I’m happy to get suggestions.

“sponsored diversity scholarship at Web Directions by John Allsopp which is a sponsored scholarship donated by sponsors to enable people from different background to join an event, including travel costs and accommodation and the conference ticket.”

Maybe it’s indeed needed that if you offer a diversity ticket, travel and accommodation is needed as well? That’s definitely also something to consider.

MODXpo Europe

In late November, I was invited to speak at a CMS conference, the MODXpo Europe. They explicitly asked me to share my thoughts about front-end tooling, workflows and not to care about the CMS part in their conference. So I ended up telling them a story about how I started out in web development back in 2003 with no tooling at all, how the web and our workflows evolved and how today it still comes down to know the basics, stay calm and choose solid tools instead of jumping on the latest trend every few weeks. Hans-Christian Reinl spoke directly after me, taking up my topic and showed some practical tips for a solid, lean and modern workflow. I had the feeling that both topics had great impact on many people in the audience, ensured and assured full stack developers that they are on the right track and not feel left behind by all the technologies and tools out there. But also taking note to get into learning again, for example how to write basics such as semantic markup or how to write JavaScript unit tests to improve the code quality. I also had great conversations with some people there and we all had the pleasure to listen to Vitaly Friedman for a full three hours in the evening. He just didn’t want to stop and the audience listened magnetized.

Summary

I also spent a lot more time than before into researching what one could improve at events to make them more personal, more memorable, more cost-effective, easier and more comfortable to attend for people.
I learned that many people want conferences to be more sustainable (by gathering feedback on my events and seeing twitter timelines, feedback for other conferences) in terms of “please avoid unnecessary waste / please try to get materials from sustainable sources / ethically fair produced products”. I agree with that and this will actually my goal for the next year to figure out how to do that the best way without upsetting partners/sponsors.

I summarized a gist by Kristian Glass gathering user stories around conferences. You can get the curated, summarized and sorted version here: Conference User Stories.

It’s not reasonable to replace your old TV with a new one to save energy. Because you’re not. Your old one needs to be recycled. But instead it’s sent to Africa where people suffer from tearing down the toxic material in it.

“Don’t buy more than what you need. Fast fashion consumption is not sustainable in the long term.”—Rose Marcario, CEO of Patagonia

Your new TV needs to be produced and shipped to you. These steps require a lot of rare earth metals and energy. Now that you have your new TV, you can save a few kilowatt hours per year. But it has cost you over $500 to buy a new one. It’s very unlikely that you’d spend this amount on additional energy with your old TV over the next five years. But will your new TV survive five years?

Consider if you really save money here. Consider if it’s really helping the environment. Instead, power your devices off during the night. That saves $20 on energy and needs no new wasted resources.

You can really change things and save energy by buying less instead of spending more money on additional waste. Less is more.

You might be curious why I purchased the ticket as I didn’t know any speaker. Over the past years I’ve been do dozens of conferences and this year took a break (few exceptions) of conferences as I got annoyed by hearing the same things and stories all over again. Now having a different target group for TEDx and different speakers, all with the goal to inspire me, made the event attractive to me. And indeed, it has proven to be one of the best events since a long time. Funny enough, there is one conference I was reminded over and over again today. Marc Thiele’s beyondtellerrand events always cover a few very different topics that are not directly related to front end development. And I immediately thought of Marc’s event when I saw Martin Walker speaking about the challenge of AI or Cobus de Swardt talking about how we as a public can push towards more transparency to avoid corruption.

I loved the fact that the organizers have mixed talks and entertaining acts so well together. After a few talks followed a music act, for example a Syrian music teacher and pianist playing for hope, freedom, and peace. A good pause for the brain for every act, something I’d never have listened to on my own.

What did I take away from it?

• Lots of learning about "refugees". http://cycling4gaza.com/
• Corruption https://www.transparency.org/
• AI https://en.wikipedia.org/wiki/MartinWalker%28reporter%29

I already started an attempt to implement Stripe when they released their cool checkout.js product. What I didn’t realize back then, and only found out by accident, is that while it’s super easy to implement the JavaScript for it, you still need to make the charge on your server by accessing their API. This is well hidden in the documentation. It needs you to know a server side language and you should really understand what you’re doing here as you are dealing with payments now. Even worse, this little fact puts you in charge if anything goes wrong with a payment.

However, this summer my friend Tobias helped me implement it on the wdrl.info site. It turned out that not too much people are confident using Stripe and most people still donate via PayPal. That’s why I was surprised today to see a couple of donations, like five in a couple of minutes, incoming via Stripe. I was a bit suspicious and logged in to the dashboard.

First thing I noticed were a lot of declined payments and then seeing that the suspicious transfers all have weird payment details (a gmail address with a name and a random number, not all passed CVC check, and various countries, missing bank details).

Digging into the help docs of Stripe you suddenly find out that they set you in charge for chargebacks, fraud and similar things. If a chargeback happens, you are at least charged a fee of EUR 15, probably more by other parties involved. They also state that if you refund a lot of payments this can affect your account negatively (understandably) but when you report a payment as fraud this is a legal case of which you can be held responsible if it turns out it isn’t fraudulent.

At that point I disabled the Stripe form on the website immediately. Actually, it seems you can’t even disable or delete your Stripe account without contacting them personally via email (no option in the dashboard, no article in docs/help).

My take-aways:

• Stripe doesn’t make payments as easy as they say
• Stripe holds you responsible for payments, chargebacks, fraud
• Stripe says you need to take care of fraud prevention, otherwise they charge you at least EUR15 (plus applicable fees by credit card institute, bank, etc)
• Stripe does not provide an easy method to set your account inactive or delete your account

That’s it. No more Stripe for me, PayPal will be again the only donation platform for WDRL again.

A Call with a Stripe Person

Only a few days after I published this note, I received an email by a Stripe employee here in Germany, asking politely if we could have a talk to sort out my problems and discuss my experience. I agreed because it was great to see that they care about me as a very small customer and I also wanted to let them know where I struggled and if I could resolve some of my issues. It was indeed an interesting call. Here are some notes from it in short form:

• My points stated above are mostly correct.
• The wording used on the website, docs and dashboard can be confusing and often is written way to ‘hard’ (legal implications). I reported with which terms and descriptions I struggled most and hope the developer / writer team will take this feedback into account.
• As a merchant you are indeed responsible to detect and report fraud and if you miss, you can be charged at least EUR15 for the chargeback by the bank, often much more.
• As a result, they recommend to build an easy fraud-detection system: Require an address that fits to the country of the credit card (unreliable though if people are traveling) and collect charges on your server and add them to a queue. Then you process the payments only after a view days, reviewing them individually again for ‘fraud-behavior’ or wait if Stripe / the bank already blocked some of these cards.
• He also told me also about a few success stories where organizations similar to me (in terms of accepting donations, not in terms of the organization size) are successfully using Stripe. This was great to hear but indeed it’s all organizations that are way bigger than my small WDRL project and for them, it was worth building this server-side fraud-prevention on their own.

In summary, it came out that for me it’s not worth it to build such a complex system. The reason is mainly that in the six months of providing Stripe donations, I received roughly about 50EUR in summary. And building such a review and queue system would cost me at least some hours, not including the running review effort. I conclude that Stripe is still a great way to accept money but you should know what you’re doing and it’s not thought for very small projects.