Mini Program
取消
开发
中文
EN
取消
  • 平台能力

    • # safety-specifications

    To access WeChat city services, the business side needs to ensure functional safety.

    # Common Safety Checklist

    XSS

    1. Input validation: length limit, correct value type, contain special characters, such as<>” Etc.)

    2. Output encoding: Corresponding encoding according to the location of the output, such as HTML encoding, JavaScript encoding, URL encoding.

    3. Between the output and the HTML tagsHTML Entitycoding

    4. When output to the HTML attribute, the special characters are encoded as&#xHH

    5. Output to SCRIPT, the data is SCRIPT encoded, except for Arabic numerals and letters, for all other characters, as long as the ASCII code for that character is less than 256. The output format after encoding isxHH

    6. When output to the Style property, CSS encodes the data, except for Arabic numerals and letters, and encodes all other characters as long as the ASCII code for that character is less than 256. The output format after encoding isHH

    7. Output to HTML URL, URL encoding of the data, when the need to insert the URL in the HTML page untrusted data, it needs to be URL-encoded

    SQL injection

    1. The best way to bind variables is to use precompiled statements

    2. Check data type

    3. Use security functions, such as php smysql_real_escape_string

    4. For the database itself, use the principle of minimum permissions, and remember not to use dba permissions

    Upload vulnerability

    1. In the client side and server side of the user upload file name and file path and other items were strictly checked, especially the server side detection can not be less

    2. Server-side checks the best use of whitelist filtering methods, such as allowing only jpg file upload and so on

    3. The upload target path is not in the web directory as far as possible. If the executable permissions of the directory are removed from the web folder

    4. Cautious useFckeditorewebeditorThird party upload components, there have been multiple vulnerabilities in history

    Struts2

    historicalStruts2Framework out of a number of high-risk vulnerabilities, these vulnerabilities enough to hack a website, to try to use the latest version

    Information leakage

    1. Delete the test page from the online machine, for exampletest.htmlphpinfo.phpetc.

    2. Disable detailed error prompts

    3. Disable debug information

    4. Disables updating svn - related files to the online machine, for example.svn/entries

    Login Security

    1. Login page best add verification code

    2. Try to use https protocol

    Session security

    Official Account message template Development usually use openid as the user identity, when using openid to set the openid into the cookie do not splice into the URL for examplehttp://www.qq.com/getusercode=aaaaaa

    Admin page

    TomcatjbossWeblogicSuch as the management page can do the following additional aspects of security policy

    Use whitelist to limit the IP that can be logged in

    If you do not use these administrative interface directly delete

    Parallel privilege problem

    Scenarios such as orders require special attention to parallel permissions issues, such asorderId=111WhetherorderId=112You can see other orders. For this defense, you can add validation parameters,orderId=111&sign=hash(String constant + id)

    Question of payment amount

    1. Web applications involving micropayments must strictly follow theOfficial Website of FacebookDocument Design
    2. Determine whether the amount paid by the user is equal to the amount payable