# Development Safety Guidelines

This document collates some common security risks and vulnerabilities in the development of Mini programs, which are used to help developers find and repair related vulnerabilities in the development process, and avoid loss of business and data after the launch. Developers must base their development on the following principles:

1. The principle of mutual distrust, do not trust the data submitted by users, including data provided by third-party systems, and the necessary data verification must be placed in the background.
2. Principle of Least Privilege: Code, module, etc. only have the smallest privilege to complete the task, and do not give unnecessary privileges.
3. Storing user sensitive data in plaintext is prohibited.
4. Mini Program code (excluding cloud function code) and traditional Web The front-end code of the application is similar, can be externally obtained and de-obfuscated, and important business logic should be placed in the back-end code or cloud functions.
5. Background interface calls and cloud function calls must be effectively authenticated.

Documents will be divided 2 Parts:

• Common Risks and Development Recommendations: Take stock of common Mini Program risks for developers and give corresponding suggestions
• Platform Notification Message: Take stock of various notification messages pushed by WeChat platform, including message content introduction and trigger scenarios.