# safety-specifications

To access WeChat city services, the business side needs to ensure functional safety.

# Common Safety Checklist


  1. Input validation: length limit, correct value type, contain special characters, such as<>” Etc.)

  2. Output encoding: Corresponding encoding according to the location of the output, such as HTML encoding, JavaScript encoding, URL encoding.

  3. Between the output and the HTML tagsHTML Entitycoding

  4. When output to the HTML attribute, the special characters are encoded as&#xHH

  5. Output to SCRIPT, the data is SCRIPT encoded, except for Arabic numerals and letters, for all other characters, as long as the ASCII code for that character is less than 256. The output format after encoding isxHH

  6. When output to the Style property, CSS encodes the data, except for Arabic numerals and letters, and encodes all other characters as long as the ASCII code for that character is less than 256. The output format after encoding isHH

  7. Output to HTML URL, URL encoding of the data, when the need to insert the URL in the HTML page untrusted data, it needs to be URL-encoded

SQL injection

  1. The best way to bind variables is to use precompiled statements

  2. Check data type

  3. Use security functions, such as php smysql_real_escape_string

  4. For the database itself, use the principle of minimum permissions, and remember not to use dba permissions

Upload vulnerability

  1. In the client side and server side of the user upload file name and file path and other items were strictly checked, especially the server side detection can not be less

  2. Server-side checks the best use of whitelist filtering methods, such as allowing only jpg file upload and so on

  3. The upload target path is not in the web directory as far as possible. If the executable permissions of the directory are removed from the web folder

  4. Cautious useFckeditorewebeditorThird party upload components, there have been multiple vulnerabilities in history


historicalStruts2Framework out of a number of high-risk vulnerabilities, these vulnerabilities enough to hack a website, to try to use the latest version

Information leakage

  1. Delete the test page from the online machine, for exampletest.htmlphpinfo.phpetc.

  2. Disable detailed error prompts

  3. Disable debug information

  4. Disables updating svn - related files to the online machine, for example.svn/entries

Login Security

  1. Login page best add verification code

  2. Try to use https protocol

Session security

Official Account message template Development usually use openid as the user identity, when using openid to set the openid into the cookie do not splice into the URL for examplehttp://www.qq.com/getusercode=aaaaaa

Admin page

TomcatjbossWeblogicSuch as the management page can do the following additional aspects of security policy

Use whitelist to limit the IP that can be logged in

If you do not use these administrative interface directly delete

Parallel privilege problem

Scenarios such as orders require special attention to parallel permissions issues, such asorderId=111WhetherorderId=112You can see other orders. For this defense, you can add validation parameters,orderId=111&sign=hash(String constant + id)

Question of payment amount

  1. Web applications involving micropayments must strictly follow theOfficial Website of FacebookDocument Design
  2. Determine whether the amount paid by the user is equal to the amount payable