Security
基本資安
CSRF,XSS,SQL Injection,HTML Injection
一份可以勾選的 Checklist,https://github.com/virajkulkarni14/WebDeveloperSecurityChecklist
以 Node.js 舉例,https://blog.risingstack.com/node-js-security-checklist/
設定好你的 HTTP Headers
Strict-Transport-Security enforces secure (HTTP over SSL/TLS) connections to the server
X-Frame-Options:provides clickjacking protection
X-XSS-Protection:enables the Cross-site scripting (XSS) filter built into most recent web browsers
X-Content-Type-Options:prevents browsers from MIME-sniffing a response away from the declared content-type
Content-Security-Policy:prevents a wide range of attacks, including Cross-site scripting and other cross-site injections
Brute Force Protection:例如,限制登入嘗試次數來避免暴力破解
管理好 Session
Cookie Flags
secure:讓瀏覽器只允許透過 HTTPS 傳 cookie
HttpOnly:避免 XSS,讓 cookie 不被 JavaScript 操作存取
Cookie Scope
domain
path
expires
CSRF(Cross-Site Request Forgery)
一般就加 CSRF token 來防止
更多解法探討,Double Submit Cookie,http://blog.techbridge.cc/2017/02/25/csrf-introduction/
資料驗證
XSS(Cross-Site Scripting)
分兩種,Reflected 和 Stored Cross site scripting
總之記得驗證使用者回傳的資料,以及幫使用者清掉存在用戶端的資料
SQL Injection
總之就是要驗證資料。也要防止被知道後端是怎麼存取資料的,權限也不要開到最大
Command Injection
透過安全的傳輸機制
SSL Version, Algorithms, Key length
ciphers, keys and renegotiation is properly configured
certificate validity
HSTS(HTTP Strict Transport Security)
防止阻斷式攻擊(Denial of Service)
短時間內的大量耗資源請求就鎖帳號
小心 Regular Expression 式的 DoS 攻擊
正確地處理 Error/Exception,這些訊息有時會不小心透露出敏感資訊
八大前端安全問題(文章日期:2017.10.31),
http://insights.thoughtworks.cn/eight-security-problems-in-front-end/
XSS
iframe
Clickjacking
瀏覽器自行判斷了內容的 type
前後端模組漏洞
SSL Stripping
用戶端數據洩漏
CDN 汙染
Last updated