Encoding security
2.1 Enter verification
Overview
Any data from the client,Such asURLParameters、HTTPhead、 Javascript戓 Information submitted by other embedded code,Both are untrusted data。Apply external boundary or internal each component or function boundary,Both use it as a potential malicious input to verify
whitelist
Untrusted data can set white list verification,Received data that matches all and white lists,And block other data
(Website Development Specification)blacklist
When the incomplete data contains poor input characters,Empty byte(%00)、Disabled(%0d,%0a,r, n)、Path character(../ or ..)Wait,It is recommended to block the data directly.,If you need to accept the data,The purification process of different ways should be made
Standardization
Non-credible data purification and verification,If you traverse your directory(./or)The equal relative path is transformed into an absolute pathURLDecoding, etc.。
Purify
Unsvisible data needs to implement various purification processing,Malicious characters should be completely removed,Leave only known security characters,Or properly encode them before processing or"Escape",If the data is output to the application pageHTMLEncoding can prevent script attack
Legitimate check
Legitable checks for untrusted data:Data types such as characters.number、Date and other characteristics;data range;Data length, etc.
(Website Development Specification)PreventionSQLinjection
Untrusted data enters the backend database,It is recommended to use the correct parametric query to process,AvoidSQLinjection
(Website Development Specification)File check
Unsvisible data is a decompressed file,If the file is located outside the service directory or the file size exceeds the limit,Should be rejected
Access control
Untrusted data passed through the above check,It should also be confirmed whether the submitted content matches the identity of the user.,Avoid access access
2.2 Output verification
Overview
Consider the security of the target compiler,Correctly encode all output characters
Encoding scene
Unsvisible data output to the front and rear end page,Related coding according to the output field,Such asHTMLEntity encoding、URcoding
(Website Development Specification)Purifying scene
Operating system command、SQLandLDAPInquire,Purify sensitive information of all outputs,Bank card、Phone number、System information, etc.
2.3 SQLinjection
Overview
User input enters the applicationSQLBefore operation,Legality checking for input。
Parameterization
Parameterized query(PHPusePDO,Javause PreparedStatement,C#use Sqlparameter)Method for sensitive characters such as"Conduct an escape,Then carry outSQLoperate。
Minimize authorization
Minimize database operation permissions for each application configuration,Prohibit database operations with administrator privileges,Restrict operation connection。
Sensitive data encryption
Sensitive information is encrypted、Hash or confusion, etc., confidential storage,Reduce data leakage risks brought by possible vulnerabilities.
Prohibited error display
(Website Development Specification)Prohibition of the system open DebugReturns a prompt containing sensitive information when modes or exceptions,It is recommended to use custom error message template exception information to be stored in the log for security audit.
2.4 XSSCross Station
Enter check
(Website Development Specification)Filter and escape the input data,Contains but not limited to<>"9%0&+V"Waiting for dangerous special characters
Output code
Enter data output to different forms of encoding in different scenarios,Such as outputHTMLTagging in the labelHTMLCode output toURLIn the middleURLcoding,Output toJSIn the middle Scriptcoding,Output to StyleIn the middlecsscoding
2.5 XMLinjection
Enter check
existXMLDocumentation during or external reference data,Filter user committed parameters,Such as<、>&Waiting for special characters。Prohibited loading external entities,No error
Output code
SuggestionXMLElement properties or content of output escape
2.6 CSRFCross-station request forgery
(Website Development Specification)Tokenuse
Add a session generated in the form of important operations TokenField time,Check this field after submitting
Second verification
When committing a key form,Require users to conduct secondary authentication, such as password、Picture verification code、SMS verification code, etc.
Refererverify
Test user request RefererWhether the field has a cross-domain submission
Logical security
3.1 Authentication
Overview
All access to non-public web pages and resources,Standards must be performed on the backend service、General authentication process
(Website Development Specification)Submit a credential
User credentials must be encrypted andPOSTMethod of submitting,RecommendationHTTPSAgreement to encrypt the channel、Authentication service
Error message
Safely handle failure identity verification,Use"wrong user name or password"Come to prompt failure,Prevent leaks too much information
(Website Development Specification)Abnormal processing
The login entry should have to prevent violence or hit the library.(Use the leaked password dictionary for mass login attempts)Measures,Exceed1Secondary verification failed automatically enable Tulex test,More than multiple verification failed automatically enabled account lock mechanism to restrict its access
Second verification
Implement key operation(Such as account password modification、Data update、Transaction payment, etc.)Time,Start the Tuling test first,Two verifications for the user。The transaction payment process should also form a complete evidence chain.,The data to be traded should pass through the initiator digital signature
(Website Development Specification)Multi-factor verification
Highly sensitive or core business system,Suggested multi-factor authentication mechanism,Such as SMS verification code、software and hardware TokenWait。
3.2 SMS verification
Verification code generation
At least complexity6Bit number or letters,Once a time,It is recommended that the validity period does not exceed180Second。
Verification code limit
The front-rear end sets the user obtaining frequency is60Second time,It is recommended that each user gets the most SMS.10strip
safety warning
Increase security tips:At least the function of this operation、Verification code transmission number、Is it a risk such as personal operation?。
Voucher check
Prohibited back to verification code in response,Server side check password、SMS verification code and other credential information,Prevent a multi-phase certified bypass。
3.3 Tulex test
(Website Development Specification)Verification code generation
(Website Development Specification)At least complexity4Bit number or letters,Or use a puzzle and other verification methods,Once a time,It is recommended that the validity period does not exceed180Second
Verification code
It is recommended to start from the user experience and safety perspective.,Can be designed to ship when users1Automatic pop-up verification code input box verification
Verification code verification
Prohibited back to verification code in response,The verification code check should be on the server
3.4 Password management
password setting
(Website Development Specification)Password setting,Should be satisfied8Bit and above length,Included letters、Digital and special characters, etc.。User password setting must be inspected,Do not allow settings that are not full complexity requirements。
Password storage
User password storage,Hash algorithm should be used(Such asSHA1)Calculate user password and unique random salt value(Salt)Summary value saves its summary andSatvalue,It is recommended to store these two values separately.
change Password
When the user changes the password,Modifying operations need to be authenticated by mobile phone numbers or mailboxes。Password change,SMS or email notifications, if the user is a person?,Inform the security risks
recover password
(Website Development Specification)User password,The rear end needs two verification of the registered mobile phone number or email address.,Verification code and verification links should be sent to pre-registered addresses,And set the validity period to prevent violent cracking。Security Question,It should be supported as possible questions as possible。In multiple verification operations,To sort each verification mechanism,Safety risks that prevent the front verification mechanism directly to the last step authentication
Password use
Disable setting of universal password in application development、Hard coded clear text code、Use database administrator account operations、Different users public account Household operation or output password to log file or console.
3.5 Session security
(Website Development Specification)Prevent session hijacking
When the application is authenticated,It is recommended to useHTTPSconnect,Authentication siteHTTPSprotocol。If the connection is to prevent sessionHTTPredirect toHTTPS,Need to regenerate the session identifier。ForbiddenHTTPandHTTPSCirculation,This may cause the session to be hijacked
(Website Development Specification)Session identifier security
(Website Development Specification)Set session CookieTime,Correct settingsHttponlyAttributes(Prohibit procedures5Script and other reading Cookieinformation) SecureAttributes(banCookieSafety settingCookiepass throughHTTPConnect to the server side for verification);DomainAttributes(An authorized access domain name that can be specified across domain access),"Path"Attributes(Authorized visible directory path)。
CookieSecurity Settings
(Website Development Specification)The session identifier should be placedHTTPorHTTPSAgreement's head information security,ProhibitGETParameter transfer、Record the session identifier in the error message and log
preventCSRFattack
The server implemented a complete session management mechanism,Each will prevent eachCSRFThe request has implemented legitimate authentication and permission control,Preventing attacks from request forgery(CSRF)Vulnerability。
Session validity period
Sessions should set the validity period on the basis of balance risk and functional needs。Regularly generate a new session identifier and make the last session session validity period identifier,This can alleviate the risk of session hijacking caused by the original session identifier。
Session logout
Logout function applies to all authenticated webpages,Use the user session to log out of the logout should immediately clean up the session related information.,Terminate related session connections
3.6 Access control
Control Method
(Website Development Specification)Separating the logical code of the access control with other code of the application to access the access control management according to the session ID。
Control management
Restrict only authorized users to access protectedURL、document、Serve、Application data、Configure、Direct object reference, etc.
Interface management
Restrict only authorized external applications or interfaces to access protected local programs or resources, etc.
Permissions change
When permission is changed,Record log,And notify whether the user is my own,Inform the existing security risks
3.7 File upload security
Identity verification
Perform file upload,Legal checking checks on the user's identity
Legitimate check
Perform file upload,Legal checking verification on the server file attribute,White list check document type(If the file is later called、File head information check, etc.)In size(Picture verification、Wide and pixels, etc.)。
Storage environment settings
Save the file,Save in document servers with an application environment(Configure a separate domain name),Saved directory rights set to not be implemented
Hidden file path
Save the file,Successfully uploaded files need to be randomly renamed,Prohibit returning to the client to save the path information。
File Access Settings
File download,Should be downloaded in binary,Suggestions do not provide direct access(Prevent Trojan Document)
3.8 Interface security
(Website Development Specification)network limitation
(Website Development Specification)Calling party network limit,For example, through firewall、HosthostandNginx denyWait for technical measures to verify。
Authentication
Call regular authentication,for examplekey、 secret、Certificate and other technical measures to check,Prohibition of shared credentials
Integrity check
Call data security,Use all parametersSHA1Summary operations for digital signatures,Identify data is tampered with
Legitimate check
Parameter check,If the parameter is complete,Timestamp andTokenis it effective,Whether the privilege is legal, etc.
Availability requirements
Call service requirements,Call the power to maintain data consistency,Limit the call frequency and validity period
Abnormal processing
Calling exception handling,Call behavior real-time detection,Discover an abnormality timely block
Data Security
4.1 Sensitive information
Sensitive information transmission
(Website Development Specification)Sensitive information transmission,ForbiddenGETRequest parameters include sensitive information,User name、password、Card number, etc.。It is recommended to adopt all sensitive informationTSLEncrypted transmission。
Client Save
When the client saves sensitive information,Prohibit automatic fill in its form、Preserve sensitive information in plaintext form
Service Save
When the server is stored when sensitive information,Prohibit hard coding sensitive information in the program,Ming text storage user password、ID number、Bank card number、Sensitive information such as cardholder name,Interim write sensitive data in memory or files,Clear and release in time
Sensitive information maintenance
Sensitive information maintenance,Prohibit the source code orSQLThe library is transferred to the open source platform or community,Such as Github、Open source China, etc.。
Sensitive information display
Sensitive information show,If it is showingwebOn the page,Determination processing of sensitive fields should be performed on the backend server。
4.2 Log specification
Recording principle
Make sure logging contains important application events,However, preservation of sensitive information,Such as a session identifier,account password、Document, etc.
Event type
Record all authentication、Access operation、Data change、Key operation、Management function、Logout record and other incidents。
Event requirements
Logs generally record the time of occurrence of each event、RequestingIPAddress and user account(If you have verified)。
Log protection
Logs are strictly protected,Avoid unauthorized read or write access。
4.3 Abnormal processing
Fault-tolerant mechanism
The complete function exception capture mechanism should be included in the application implementation.try-catchPiece,Typical location:document、The internet、database、Command operation, etc.。Once an abnormality appears,Abnormal occurrence time should be recorded in the log in the log、Code location、Error details、Possible users who trigger errors, etc.,The serious abnormality of important systems should have alarm mechanism,Timely notify the system operator in time to investigate and repair questions
(Website Development Specification)Custom error message
In the production environment,Applications should not return any system generated messages or other debugging information in their response,Configuring the application server to handle the unprocessed application error in a custom manner,Returns custom error message
Hide user information
Prohibit privacy information for users in system abnormalities,Typical:Identity Information、Personal address、telephone number、Bank Account、Communication record、Positioning information, etc.
Hide system information
It is forbidden to disclose system sensitive information when system abnormalities(User account and password、System development key、System source code、Application architecture、System account and password、Network topology, etc.)。
Abnormal state recovery
When the method occurs, it is necessary to recover to the previous object state.,If the business operation fails, the rollback operation, etc.,Object modification failure to recover the original state,Connectation of the status of the object
Host security
5.1 I/Ooperate
Shared environment file security
Specify the appropriate access license when you create a file in a multi-user system,To prevent unauthorized file access,Share the reading of the file in the directory/Write/Permissions should be permissions should use white list mechanisms,Minimize authorization。
Data Access Check
Preventing the encapsulated data objects are not authorized,Set reasonable buffer size to prevent depletion of system resources,
Application file processing
The file created during the application running,Need to set up privileges(read、Write、Executable),Temporary files make timely delete
(Website Development Specification)
5.2 Operating environmentMinimize open port
(Website Development Specification)Close the port and services that the operating system is not required
(Website Development Specification)Background service management
Backstage(Such as data cache and storage、monitor、Business management, etc.)Not limited to internal network access,Open in public network must set authentication and access control。
Environmental configuration
(Website Development Specification)Use a secure and stable operating system version、webServer software various application frameworks、Database components, etc.
(Website Development Specification)Sensitive code processing
Sensitive code(Such as software package signature、Username password check, etc.)All inoPrevent tampering in packages。
Close debug channel
Production code does not contain any debug code or interface
(Website Development Specification)Communication security
Configuring the websiteHTTPSCertificate or other encrypted transmission measures。
(Website Development Specification)
Article reference:
https://segmentfault.com/a/1190000017090860