website development specification


website development specification

Encoding security

2.1 Enter verification


Any data from the client,Such asURLParameters、HTTPhead、 Javascript戓 Information submitted by other embedded code,Both are untrusted data。Apply external boundary or internal each component or function boundary,Both use it as a potential malicious input to verify


Untrusted data can set white list verification,Received data that matches all and white lists,And block other data

(Website Development Specification)blacklist

When the incomplete data contains poor input characters,Empty byte(%00)、Disabled(%0d,%0a,r, n)、Path character(../ or ..)Wait,It is recommended to block the data directly.,If you need to accept the data,The purification process of different ways should be made


Non-credible data purification and verification,If you traverse your directory(./or)The equal relative path is transformed into an absolute pathURLDecoding, etc.。


Unsvisible data needs to implement various purification processing,Malicious characters should be completely removed,Leave only known security characters,Or properly encode them before processing or"Escape",If the data is output to the application pageHTMLEncoding can prevent script attack

Legitimate check

Legitable checks for untrusted data:Data types such as characters.number、Date and other characteristics;data range;Data length, etc.

(Website Development Specification)PreventionSQLinjection

Untrusted data enters the backend database,It is recommended to use the correct parametric query to process,AvoidSQLinjection

(Website Development Specification)File check

Unsvisible data is a decompressed file,If the file is located outside the service directory or the file size exceeds the limit,Should be rejected

Access control

Untrusted data passed through the above check,It should also be confirmed whether the submitted content matches the identity of the user.,Avoid access access

2.2 Output verification


Consider the security of the target compiler,Correctly encode all output characters

Encoding scene

Unsvisible data output to the front and rear end page,Related coding according to the output field,Such asHTMLEntity encoding、URcoding

(Website Development Specification)Purifying scene

Operating system command、SQLandLDAPInquire,Purify sensitive information of all outputs,Bank card、Phone number、System information, etc.

2.3 SQLinjection


User input enters the applicationSQLBefore operation,Legality checking for input。


Parameterized query(PHPusePDO,Javause PreparedStatement,C#use Sqlparameter)Method for sensitive characters such as"Conduct an escape,Then carry outSQLoperate。

Minimize authorization

Minimize database operation permissions for each application configuration,Prohibit database operations with administrator privileges,Restrict operation connection。

Sensitive data encryption

Sensitive information is encrypted、Hash or confusion, etc., confidential storage,Reduce data leakage risks brought by possible vulnerabilities.

Prohibited error display

(Website Development Specification)Prohibition of the system open DebugReturns a prompt containing sensitive information when modes or exceptions,It is recommended to use custom error message template exception information to be stored in the log for security audit.

2.4 XSSCross Station

Enter check

(Website Development Specification)Filter and escape the input data,Contains but not limited to<>"9%0&+V"Waiting for dangerous special characters

Output code

Enter data output to different forms of encoding in different scenarios,Such as outputHTMLTagging in the labelHTMLCode output toURLIn the middleURLcoding,Output toJSIn the middle Scriptcoding,Output to StyleIn the middlecsscoding

2.5 XMLinjection

Enter check

existXMLDocumentation during or external reference data,Filter user committed parameters,Such as<、>&Waiting for special characters。Prohibited loading external entities,No error

Output code

SuggestionXMLElement properties or content of output escape

2.6 CSRFCross-station request forgery

(Website Development Specification)Tokenuse

Add a session generated in the form of important operations TokenField time,Check this field after submitting

Second verification

When committing a key form,Require users to conduct secondary authentication, such as password、Picture verification code、SMS verification code, etc.


Test user request RefererWhether the field has a cross-domain submission

Logical security

3.1 Authentication


All access to non-public web pages and resources,Standards must be performed on the backend service、General authentication process

(Website Development Specification)Submit a credential

User credentials must be encrypted andPOSTMethod of submitting,RecommendationHTTPSAgreement to encrypt the channel、Authentication service

Error message

Safely handle failure identity verification,Use"wrong user name or password"Come to prompt failure,Prevent leaks too much information

(Website Development Specification)Abnormal processing

The login entry should have to prevent violence or hit the library.(Use the leaked password dictionary for mass login attempts)Measures,Exceed1Secondary verification failed automatically enable Tulex test,More than multiple verification failed automatically enabled account lock mechanism to restrict its access

Second verification

Implement key operation(Such as account password modification、Data update、Transaction payment, etc.)Time,Start the Tuling test first,Two verifications for the user。The transaction payment process should also form a complete evidence chain.,The data to be traded should pass through the initiator digital signature

(Website Development Specification)Multi-factor verification

Highly sensitive or core business system,Suggested multi-factor authentication mechanism,Such as SMS verification code、software and hardware TokenWait。

3.2 SMS verification

Verification code generation

At least complexity6Bit number or letters,Once a time,It is recommended that the validity period does not exceed180Second。

Verification code limit

The front-rear end sets the user obtaining frequency is60Second time,It is recommended that each user gets the most SMS.10strip

safety warning

Increase security tips:At least the function of this operation、Verification code transmission number、Is it a risk such as personal operation?。

Voucher check

Prohibited back to verification code in response,Server side check password、SMS verification code and other credential information,Prevent a multi-phase certified bypass。

3.3 Tulex test

(Website Development Specification)Verification code generation

(Website Development Specification)At least complexity4Bit number or letters,Or use a puzzle and other verification methods,Once a time,It is recommended that the validity period does not exceed180Second

Verification code

It is recommended to start from the user experience and safety perspective.,Can be designed to ship when users1Automatic pop-up verification code input box verification

Verification code verification

Prohibited back to verification code in response,The verification code check should be on the server

3.4 Password management

password setting

(Website Development Specification)Password setting,Should be satisfied8Bit and above length,Included letters、Digital and special characters, etc.。User password setting must be inspected,Do not allow settings that are not full complexity requirements。

Password storage

User password storage,Hash algorithm should be used(Such asSHA1)Calculate user password and unique random salt value(Salt)Summary value saves its summary andSatvalue,It is recommended to store these two values separately.

change Password

When the user changes the password,Modifying operations need to be authenticated by mobile phone numbers or mailboxes。Password change,SMS or email notifications, if the user is a person?,Inform the security risks

recover password

(Website Development Specification)User password,The rear end needs two verification of the registered mobile phone number or email address.,Verification code and verification links should be sent to pre-registered addresses,And set the validity period to prevent violent cracking。Security Question,It should be supported as possible questions as possible。In multiple verification operations,To sort each verification mechanism,Safety risks that prevent the front verification mechanism directly to the last step authentication

Password use

Disable setting of universal password in application development、Hard coded clear text code、Use database administrator account operations、Different users public account Household operation or output password to log file or console.

3.5 Session security

(Website Development Specification)Prevent session hijacking

When the application is authenticated,It is recommended to useHTTPSconnect,Authentication siteHTTPSprotocol。If the connection is to prevent sessionHTTPredirect toHTTPS,Need to regenerate the session identifier。ForbiddenHTTPandHTTPSCirculation,This may cause the session to be hijacked

(Website Development Specification)Session identifier security

(Website Development Specification)Set session CookieTime,Correct settingsHttponlyAttributes(Prohibit procedures5Script and other reading Cookieinformation) SecureAttributes(banCookieSafety settingCookiepass throughHTTPConnect to the server side for verification);DomainAttributes(An authorized access domain name that can be specified across domain access),"Path"Attributes(Authorized visible directory path)。

CookieSecurity Settings

(Website Development Specification)The session identifier should be placedHTTPorHTTPSAgreement's head information security,ProhibitGETParameter transfer、Record the session identifier in the error message and log


The server implemented a complete session management mechanism,Each will prevent eachCSRFThe request has implemented legitimate authentication and permission control,Preventing attacks from request forgery(CSRF)Vulnerability。

Session validity period

Sessions should set the validity period on the basis of balance risk and functional needs。Regularly generate a new session identifier and make the last session session validity period identifier,This can alleviate the risk of session hijacking caused by the original session identifier。

Session logout

Logout function applies to all authenticated webpages,Use the user session to log out of the logout should immediately clean up the session related information.,Terminate related session connections

3.6 Access control

Control Method

(Website Development Specification)Separating the logical code of the access control with other code of the application to access the access control management according to the session ID。

Control management

Restrict only authorized users to access protectedURL、document、Serve、Application data、Configure、Direct object reference, etc.

Interface management

Restrict only authorized external applications or interfaces to access protected local programs or resources, etc.

Permissions change

When permission is changed,Record log,And notify whether the user is my own,Inform the existing security risks

3.7 File upload security

Identity verification

Perform file upload,Legal checking checks on the user's identity

Legitimate check

Perform file upload,Legal checking verification on the server file attribute,White list check document type(If the file is later called、File head information check, etc.)In size(Picture verification、Wide and pixels, etc.)。

Storage environment settings

Save the file,Save in document servers with an application environment(Configure a separate domain name),Saved directory rights set to not be implemented

Hidden file path

Save the file,Successfully uploaded files need to be randomly renamed,Prohibit returning to the client to save the path information。

File Access Settings

File download,Should be downloaded in binary,Suggestions do not provide direct access(Prevent Trojan Document)

3.8 Interface security

(Website Development Specification)network limitation

(Website Development Specification)Calling party network limit,For example, through firewall、HosthostandNginx denyWait for technical measures to verify。


Call regular authentication,for examplekey、 secret、Certificate and other technical measures to check,Prohibition of shared credentials

Integrity check

Call data security,Use all parametersSHA1Summary operations for digital signatures,Identify data is tampered with

Legitimate check

Parameter check,If the parameter is complete,Timestamp andTokenis it effective,Whether the privilege is legal, etc.

Availability requirements

Call service requirements,Call the power to maintain data consistency,Limit the call frequency and validity period

Abnormal processing

Calling exception handling,Call behavior real-time detection,Discover an abnormality timely block

Data Security

4.1 Sensitive information

Sensitive information transmission

(Website Development Specification)Sensitive information transmission,ForbiddenGETRequest parameters include sensitive information,User name、password、Card number, etc.。It is recommended to adopt all sensitive informationTSLEncrypted transmission。

Client Save

When the client saves sensitive information,Prohibit automatic fill in its form、Preserve sensitive information in plaintext form

Service Save

When the server is stored when sensitive information,Prohibit hard coding sensitive information in the program,Ming text storage user password、ID number、Bank card number、Sensitive information such as cardholder name,Interim write sensitive data in memory or files,Clear and release in time

Sensitive information maintenance

Sensitive information maintenance,Prohibit the source code orSQLThe library is transferred to the open source platform or community,Such as Github、Open source China, etc.。

Sensitive information display

Sensitive information show,If it is showingwebOn the page,Determination processing of sensitive fields should be performed on the backend server。

4.2 Log specification

Recording principle

Make sure logging contains important application events,However, preservation of sensitive information,Such as a session identifier,account password、Document, etc.

Event type

Record all authentication、Access operation、Data change、Key operation、Management function、Logout record and other incidents。

Event requirements

Logs generally record the time of occurrence of each event、RequestingIPAddress and user account(If you have verified)。

Log protection

Logs are strictly protected,Avoid unauthorized read or write access。

4.3 Abnormal processing

Fault-tolerant mechanism

The complete function exception capture mechanism should be included in the application implementation.try-catchPiece,Typical location:document、The internet、database、Command operation, etc.。Once an abnormality appears,Abnormal occurrence time should be recorded in the log in the log、Code location、Error details、Possible users who trigger errors, etc.,The serious abnormality of important systems should have alarm mechanism,Timely notify the system operator in time to investigate and repair questions

(Website Development Specification)Custom error message

In the production environment,Applications should not return any system generated messages or other debugging information in their response,Configuring the application server to handle the unprocessed application error in a custom manner,Returns custom error message

Hide user information

Prohibit privacy information for users in system abnormalities,Typical:Identity Information、Personal address、telephone number、Bank Account、Communication record、Positioning information, etc.

Hide system information

It is forbidden to disclose system sensitive information when system abnormalities(User account and password、System development key、System source code、Application architecture、System account and password、Network topology, etc.)。

Abnormal state recovery

When the method occurs, it is necessary to recover to the previous object state.,If the business operation fails, the rollback operation, etc.,Object modification failure to recover the original state,Connectation of the status of the object

Host security

5.1 I/Ooperate

Shared environment file security

Specify the appropriate access license when you create a file in a multi-user system,To prevent unauthorized file access,Share the reading of the file in the directory/Write/Permissions should be permissions should use white list mechanisms,Minimize authorization。

Data Access Check

Preventing the encapsulated data objects are not authorized,Set reasonable buffer size to prevent depletion of system resources,

Application file processing

The file created during the application running,Need to set up privileges(read、Write、Executable),Temporary files make timely delete

(Website Development Specification)5.2 Operating environment

Minimize open port

(Website Development Specification)Close the port and services that the operating system is not required

(Website Development Specification)Background service management

Backstage(Such as data cache and storage、monitor、Business management, etc.)Not limited to internal network access,Open in public network must set authentication and access control。

Environmental configuration

(Website Development Specification)Use a secure and stable operating system version、webServer software various application frameworks、Database components, etc.

(Website Development Specification)Sensitive code processing

Sensitive code(Such as software package signature、Username password check, etc.)All inoPrevent tampering in packages。

Close debug channel

Production code does not contain any debug code or interface

(Website Development Specification)Communication security

Configuring the websiteHTTPSCertificate or other encrypted transmission measures。

(Website Development Specification)

Article reference: