On the server side of the scripting environment, it is easy to use, does not need to compile and connect, the script can run directly on the server side, and it supports multi-user, multithreading, in the Web development has been widely used.
However, because the ASP script is a plain text format, a malicious person can easily see the content of a page that should not otherwise be seen through the source code. For example, the ASP source code usually has the system database connection username and password, the malicious person to use this username and password can easily view all the information in the database (including system confidential information), can also tamper with the information in the library, causing system serious damage. Therefore, it is important to protect the source code of ASP scripts.
There are usually 3 ways to protect ASP Script source code: The first way is to restrict access to users, and the second way is to handle the server-side environment, improve the robustness of the system; The third way is to process the source code, hide or partially hide the script source code. These 3 ways complement each other, and effective settings can improve the security of the script source code. The following is a brief introduction to the implementation of these 3 approaches.
Restricting access to users
The so-called restricted access user is an ASP script that only authorized users can access the system. There are two main implementations: the first is through the SSL (Secure Socket Layer) method, server-side issuing of certificates to the client (which can take advantage of the free certificate management software), and the client side to add certificates to the browser, and only users with legitimate certificates can The server side establishes a link to access the system. This method does not require programming, high security, but the issuance of certificates is more troublesome. Another method is to use the commonly used authentication user name, password method, the user must first enter the user name and password, only a legitimate user name and password to access the system. This method is slightly less secure and simpler to program. And when implemented, you need to be aware that you cannot simply discriminate in the login window, because if the user knows the file name of the next link in the login window, you can bypass the login window by entering the file name directly in the address bar. You can programmatically check the IP address of the request ("Http_reference") item at the beginning of each file except for the login window file to see if it is a file jump from within the system, or jump to the login window if not. The code is as follows:
<%
Dim ivalid
Ivalid=instr (Request ("Http_reference"),
"http://131.252.88.71")
If ivalid= 0 Then
Response.Redirect "Login.asp"
End If
......
% >
Processing the server side
There are 3 main ways to handle the server side:
Set permissions on the system
Set detailed security permissions on the server side, in addition to the system administrator, to minimize user access rights, delete unnecessary shares, including printer sharing, turn off anonymous services, and other unnecessary functions; Set detailed access to the directory of ASP source code, and turn off Read permission.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
