# Security protection

# Introduction to Security Protection

In order to solve the black and gray production risks and security problems encountered by the mini program business in various application scenarios, such as malicious registration, false brushing, group control of the number, and marketing cheating, The WeChat Security Gateway has introduced security protection capabilities to help developers cope with marketing cheating risks such as swiping bills, fake transactions, maliciously defrauding subsidies, and registration black production risks suchas bulk registration, falsification of identity, and second-time high-price sales after a snap purchase.

<a href="https://developers.weixin.qq.com/community/business/doc/000cc8808b06b83faff1044206b40d target="_blank" data-ctabtn>

WeChat Security Gateway security protection capabilities are based on the threat intelligence information provided by WeChat, For example, multi-dimensional data such as account identity and user characteristics are analyzed in an intelligent model to comprehensively judge whether the current request is safe, and can more accurately identify various black and gray production technologies and means such as dummy fake machine, dummy real machine, real fake machine, and real machine. Developers can configure security protection policies in the core business process, support interception by the security gateway or the business to decide whether to intercept after identification by the security gateway, or conduct secondary human-computer interaction verification on abnormal requests, which is more flexible.

# Ability advantage

1. Multi-layer protection, 3 lines of security defense, from intelligent identification of environmental risks to security gateway risk control strategy interception, and then to advanced security protection, security gateway to ensure business security
2. Accurate identification, based on intelligent analysis model, integrated account identity, equipment, user behavior characteristics, environment and other Mini Program scenarios multi-dimensional data analysis
3. High flexibility, support business custom interception strategy, business custom interception display page, business custom human-computer interaction verification page
4. Human-Computer Interaction Verification, Security Gateway Detects Abnormal Network Environment, Supports Human-Computer Waterproof Wall Verification
5. Real-time data monitoring, minute-level interception abnormal request data monitoring, support to view detailed interception log

# Usage scenarios

1. Marketing offers, such as coupons, sweepstakes, stakes, discount coupons for new users, and other marketing campaign scenarios, the security protection capability can detect multiple dimensions of equipment, IP, user behavior, account, etc., allowing woolly parties to escape, effectively protecting marketing campaigns and giving benefits to the target user.
2. Set praise posting, high praise comment to get active gifts, post to get lucky draw opportunities and other activity scenarios, security protection capabilities can accurately identify simulators, group control, automatic click and other means of cheating, effectively solve the problem of advertising slaughter, malicious irrigation, brush tickets.
3. Malicious registration, for machine batch registration, garbage trumpet, forged identity and other malicious registration behavior, security protection account risk control can be effectively identified and intercepted.

# Introduction of multi-layer protection

# First layer of protection

WeChat private links are based on a security gateway. When requesting a WeChat private protocol that enters the security gateway, the security Gateway can identify various protocol headers, crawling features, emulator attacks, black and grey IP access, DDoS attacks and various unusual requests, and intercept them in a timely manner.After the initial screening of the first layer of security protection, the current preliminary determination of normal traffic into the security gateway WeChat server for the second layer of traffic screening and cleaning. (The Security Gateway Package QPS The statistics are the concurrent requests after the first cleaning, such as the discovery of access to the security gateway, the same activity QPS A decrease is normal. ）

# Second layer of protection

The Security Gateway will provide a second layer of risk control protection for requests after the first initial cleaning./Tamper with the request of the private protocol of the gateway, and filter out illegal requests, ultra vires requests, high frequency requests by combining the risk control capabilities such as user request frequency and permission check.After the secondary cleaning of the second layer of security protection, more than 90% of the abnormal traffic has been intercepted, and then the remaining traffic is forwarded to the service source station.

# Third layer of protection

In order to prevent the fish that have slipped through the net, the security gateway has been launched with the advanced ability of the third layer of self-defined security protection strategy, and actively identifies the fish that have slipped through the net. Combine multidimensional data such as request characteristics, device information, and account numbers to form intelligent analysis models, and conduct higher-level processing of traffic such as environment detection and intelligent verification, supporting the business to make its own decisions on the protection form and supporting the switch to a more secure form of verification code. The following describes the advanced security capabilities of the third layer in detail.

# Introduction to Advanced Safety Protection

Security protection strategy for WeChat security gateway advanced capabilities, the current purchase of the standard version (specifications: 1000QPS)*20Mbps) and above gateway packages can be configured in the console, less than the standard version of the package temporarily do not support the use of this capability.

The detailed steps are as follows:

# 1. Ability to access

Go to Donut Development Platform - Security Gateway Console - Protection Configured in. In order not to affect the normal external services of the business and not obviously cause black and gray production confrontation, the core of the Mini Program business scene can only be used. URL Configure safety protection policy, unconfigured Mini Program URL requests will be released directly without processing.

# 2. Protection strategy selection

Current Security Support 2 One protection strategy, more protection strategy in continuous iteration. After the console configuration, the minute level will take effect, do not need to modify the code, do not need a Mini Program version.

a. Gateway interception

Select the gateway interception strategy, the security gateway will directly return the specified response page according to the response content of the business configuration, and the request will no longer flow to the business side. The developer can configure the corresponding parameters on the page.

b. Business decision making

Select the business decision policy, the security gateway will be in the requested header Increase in x-wx-risk-rank Parameter, according to which a business can execute a business-side processing policy after receiving a request. x-wx-risk-rank Parameter range 0-4, the higher the number means higher risk. The level of risk explaination and recommendations for use are as follows: The developer can judge the level of risk according to the level of risk. The significance of the level of risk and the use of the corresponding business, please refer to the following instructions and suggestions, specific use can be adjusted dynamically according to the actual situation of the business, in order to achieve accurate intercept, protect the sound development of the business.

# Extended Capabilities - Security Detection Plugin

Support developers to customize the choice of security detection plug-in, used to detect the security of the current environment, access, can provide more comprehensive and accurate security than the ordinary gateway, users need to complete the environment verification, can continue to operate. Access needs to modify the Mini Program code, complete the Mini Program version before taking effect.

<a href="https://developers.weixin.qq.com/community/business/doc/0004e0d34508a850b0f1db8086940d target="_blank" data-ctabtn>

Detailed access guidelines are as follows:

# Start Fast

1. In the Mini Program app.json In, introduce [Donut Security gateway plug-in, waiting for plug-in access approval, can be used in the Mini Program.

{
   "plugins": {
    "gateway-challenge": {
      "version": "1.3.2",
      "provider": "wxfe70b3f986aad2fb" 
    }
  }
}

2. In the Mini Program onLaunch In the callback, activate the behavior detection capability with the following code.

let gatewayChallenge  = requirePlugin('gateway-challenge')
App({
  onLaunch() {
    gatewayChallenge.start()
  }
})

3. At this point, the Mini Program will complete the silent detection, which usually takes a few seconds to complete. During the detection does not affect the normal use of Mini programs.

4. (Optional) Insert security detection components in key pages such as active pages in Mini Programs (it will not affect page rendering, just insert at the top of the page)

<gateway-challenge
  <!-- Detect a successful callback -->
  bindchallengesuccess="onChallengeSuccess"
  <!-- Detect failed callbacks -->
  bindchallengefail="onChallengeFail" 
></gateway-challenge>

5. Where the Mini Program is required to submit sensitive information, the test results are obtained.

Page({
  async onBtnClick () {
    let gatewayChallenge  = requirePlugin('gateway-challenge')
    let res
    try {
      await gatewayChallenge.getClearance() // Get Test Results
    } catch (e) {
      // Behavior detection exception, prompt and return
      wx.showToast({
        title: " An error has occurred. Please try again later. "
      })
      return
    }
    wx.request({
      // Sensitive interface request, which needs to be initiated after the detection is completed
    })
  }
})

# API

The plugin itself exports the following method (using the requirePlugin）：

Interface ChallengePlugin {
    /* Initialization, which needs to be performed when the Mini Program is loaded, only once */
    start: () => Promise<void>
    
    /* Get the validation result of the current running environment (recommended), which can be executed at any time */
    getClearance: () => Promise<ChallengeResult>
    
    /* Listens for events that are detected successfully, and performs a callback when the detection is successful */
    onChallengeSuccess: (cb: (res: ChallengeResult) => void) => void
    
    /* Listens for events that fail to detect, performs a callback when the detection fails */
    onChallengeFail: (cb: () => void) => void
}

Interface ChallengeResult {
    err_code: number // Testing error code
    success: boolean // Test results
    cid: string // Testing Id, used to identify a single test result, in the case of a misjudgment can provide troubleshooting
}

The properties supported by the detection component are as follows (using the customComponent）

<gateway-challenge
  <!-- Detect a successful callback -->
  bindchallengesuccess="onChallengeSuccess"
  <!-- Detect failed callbacks -->
  bindchallengefail="onChallengeFail" 
></gateway-challenge>

# compatibility

In WeChat 8.0.28 The above client (not included) passed the test, below this version will prompt the WeChat version is too low, please update the WeChat.

# life cycle

The test results will cover the entire life cycle of the Mini Program until the user exits the Mini Program.

For the detection of successful cases, this Mini Program life cycle getClearance Will synchronize the return of success, and the same Clearance ID。 For cases where detection fails, getClearance A new test will be triggered until successful.

# Common problem

Q: How to ensure that the business interface is not broken by [crawlers, wool party, script]?
A: After the security gateway detects the execution of the plug-in, it will call the core to snap up and place a single class interface. As much as possible in getClearance Asynchronous return before execution wx.request To ensure the security of the request.

Q：PC End, WeChat developer tools, some low-end devices can not complete the detection/I was mistakenly intercepted, how do I handle it?
A: We have customized security detection for most devices. If the user encounters an abnormal situation, it is recommended to make a retry (getClearance) first, and if it fails continuously, it can provide the user with the cid Information for us to locate and resolve.

Q: How to improve the accuracy of testing?
A: It is suggested that in onLaunch Pull up the detection module and call the start Interface, while inserting the <gateway-challenge>Label, and ensure that the page has some explicit interaction (such as clicking, scrolling, sliding, etc.).

Q: Does the plugin affect the performance of my Mini Program? Can it be introduced in sub-packageing?
A: The plug-in code package size is 200KB About, the detection plug-in basically will not have a perceptible impact on the interaction and loading time of the Mini Program. A plug-in can be introduced in a subcontract and delayed loading.

Q: How long does the test take?
A: On low-end Android machines, the detection will be in 1.5s Completed within. On mainstream performance phones, the detection generally does not exceed 500ms。

Q: Does the security test cause Mini Program stuttering? Can other operations be performed during the inspection?
A: Detect completely asynchronous execution, will not block the main thread of the Mini Program cause stuttering. In the detection process, the other non-sensitive logic of the Mini Program can be executed normally, only need to ensure that the detection is completed before the sensitive interface is called.