Some of the best practices for designing, developing, and deploying Web applications are listed. Some of them are personal experiences and some are obtained through materials, which is relatively simple and can be used as a reference.
Well, the premise is that you must first ensure network security and host security, and then consider Web security. Otherwise, you will not be able to use it .....
1. Physical Network Architecture
Deploy web server, app server, and database server on different hosts.
Restrict external web server connections. For example, only port 80 is provided.
Restrict connections between web server, app server, and database server, such as firewall, operating system, or software configuration.
Confidential information is not stored on the web server. If it is stored, it is best to encrypt it. For example, the account information of other servers.
2. Authentication
Standard authentication methods, passwords, certificates, active keys, and biological methods are used. If your company has an existing authentication interface or certification product, use this method and do not compile it yourself. If the requirements are strong, you can consider multiple authentication methods in parallel. For example, password + certificate + activity key
It is best to encrypt the transmission password and store the password.
The password is designed to meet a certain intensity, especially the Administrator's account...
3. authorization and access control
Each user meets the minimum permission principle.
Access control is implemented on the logic layer and data layer, and access control on the presentation layer (web pages and flash files) has no practical use for security.
4. Session management
The session management on various middleware is already very good. Do not compile it on your own. (There should be no self-edited Chinese ....)
The session should be set to expire within a certain period of time.
Do not set it easily to enable the browser to store cookies in solid state.
It is best to allow only one user to log on to an account.
Do not place any information on the client that identifies the user, only trust the session id
5. Connect to the database
The account with the minimum permission should be used to connect to the data (the sa user will end up with SQL injection)
6. Key Data Protection
Be more careful with key data. You can use encryption to differentiate the methods.
7. Logs
Record logs. If you have any conditions, remember the details, especially the key operations. If you have other conditions, back up the logs or record them on other servers.
8. Code Writing
Is there a problem with the template, framework, and technology used?
Input filtering is performed on the server. The input filtering on the client is invalid. Filter special characters, data types, and data length. It is best to accept only valid input, rather than reject special cases.
It's too simple to say, but there are a lot to say about it. Well, in any case, I would like to provide you with a reference.
A good resource comes from Microsoft:
Aspx "> http://msdn.microsoft.com/en-us/library/ms994921.aspx
Not only for the. NET architecture, but also for other web applications.