# Developing security guidelines

This document has compiled some of the common security risks and vulnerabilities in development known as Weixin Mini Program to help developers identify and fix vulnerabilities during development to avoid loss of business and data after launch. Developers must base their development on the following principles:

1. The principle of non-trust. Do not trust the data submitted by users, including those provided by third-party systems. The necessary data validation must be placed in the background.
2. The principle of minimum permissions is that code, modules, etc. have only the minimum permissions that can accomplish the task, and do not give unnecessary permissions.
3. Explicit storage of user sensitive data is prohibited.
4. Weixin Mini Program Code (excluding cloud function code) is similar to the front-end code of a traditional Web application and can be externally obtained and counter-communicated, and important business logic should be located in back-end code or cloud functions.
5. Background interface calls and cloud function calls must be effectively authenticated.

The document will be divided into 2 parts:

• Common Risks and Development Suggestions : Take inventory of common Weixin Mini Program risks of developers and give corresponding suggestions;
• Platform Notification Message : Inventory of various notification messages pushed by WeChat platform, including message content introduction and trigger scenarios.