E-commerce website, the security of the Internet is very important, especially involved in the payment of this piece. This article summarizes some common common sense of web security defense, for your reference, but also want to be concerned with this piece of peer discussion on this topic.
1. Information transfer encrypted HTTPS using symmetric or asymmetric encryption? is symmetric encryption using DES or AES? is asymmetric encryption using RSA or DSA?
- What encryption algorithm is used for the Java Web is specified by the Keytool tool when the KeyStore is generated, and after the KeyStore is generated, the purchased certificate is imported. RSA encryption algorithms are generally used.
Does the SSL certificate need to be purchased?
- Do not need to buy the reason-we use the purpose of HTTPS is to want to transfer the content between the server and the client is encrypted, to prevent the intermediate monitoring leakage information, to the certificate service provider to apply for a certificate is not cost-effective, because the use of services are fixed customers and their own insiders, so we ourselves to issue a certificate, Ignore the browser's untrusted alarm;
- Reasons to buy-user experience is good, professional is strong.
Two-way verification or one-way verification?
- One-way authentication verifies the server, and two-way authentication server clients authenticate each other.
- For the server, one-way verification ensures that the transmitted data is encrypted, and that bidirectional authentication guarantees the security of the client source.
- If two-way authentication is used, the client browser is required to import the certificate.
The certificate is bound to the domain name, the service is open before the domain name determination, purchase, HTTPS certificate purchase needs to be done first.
2. File storage encrypted asymmetric encryption using what encryption algorithm, RSA or DSA? Asymmetric plus decryption, add decryption is slow, implementation on the use of Java implementation or C?
3. Defend against XSS attack the front-end client, the user input to the JS form verification; At present, the client's form verification of our service front desk will also interact with the background, increase the background load, but also left an XSS attack vulnerability, should be accepted within the specified length range, in the appropriate format, The contents of the expected characters are submitted; for other special JavaScript-related characters are filtered, and some HTML dangerous characters are escaped, such as > escaped to >,< escaped to < for storing sensitive information cookies, Add the HttpOnly attribute to the Cookie to avoid being hacked by the attacker; Service front server, re-verify user input, server-side form-level verification, to prevent malicious users from simulating the browser bypass JS code to attack; recommended for server-side forms to verify uniform system exception codes, Combined with system exception handling mechanism. The client displays the appropriate information based on the server-side return exception code, rather than showing the exception report to the customer: first, the user experience is not good, both to the malicious user to bring the machine; Use the ESAPI library to prevent XSS in your program:
System.out.println (Esapi.encoder (). encodeforhtml ("<a href= ' SDFs ' ></a>< script > alert (); </script > "));
Output:
<ahref& #x3d;& #x27;sdfs& #x27;><& #x2f;a> < script > alert& #x28;& #x29;& #x3b; <& #x2f; Script >
4. Defense of SQL injection with 3 defense XSS attack "recommended for server-side form Verification Unified System exception code" bar; the service foreground client needs to disinfect the SQL such as drop, update, delete and so on for form-level validation; When the server table-level validation is performed again by the service front-end servers Wait, you need to disinfect the drop, update, delete and other SQL again, to prevent malicious users from bypassing JS for attack, to escape sensitive characters, such as ' Escape to \ '; traditional jdbc for parameter binding, such as
Preparestatement pre=connection.prepare ("select * from User where user.name=?"); Pre.setstring (1, "zhaoxin"); Resultsetrs=pre.executequery ();
Hibernate for parameter binding, such as
String hql= "from user user where user.name=:customername"; Query query=session.createquery (HQL); Query.setparameter ("CustomerName", name,hibernate.string);
Ibatis/mybatis parameter binding, in the node of the SQL statement, set parameterclass = "Java.util.Map", the program to encapsulate the parameters in the Map.
5. Defensive CSRF Attack Use Struts2 form label, which need to add token tag, important node such as review, add a verification code verification, check the HTTP request header of the Referer domain, verify the legality;
6. Set limits and other risk rules, more than the early warning, require additional manual authorization to audit through
7. Avoid form duplicate submission use Struts2 's form label, which need to add token tag, upload file to Hachiku record verification, if repeat to ask customer whether continue;
8. Nginx Reverse proxy nginx is our first layer of external barriers to the server;
- Through it we can easily make various security settings, such as prohibit IP, limit the number of IP concurrency (this can prevent Dos attacks), set timeout time (this also can prevent Dos attacks), limit user bandwidth and so on;
- Nginx can also shield the server interface path, static file real path, avoid path traversal attack;
- Nginx has a special prevention of XSS, injection attack module naxsi;
Static and dynamic separation, speed up response, reduce tomcat load, load balance;
9. Update the STRUTS2 framework in a timely manner
10. Set file upload whitelist, or simply limit to XLS, xlsx, to avoid uploading file attacks
One. Nginx exploits and Security hardening nginx configuration errors resulting in directory traversal vulnerabilities such as
Location/test {
Alias html/test/;
AutoIndex on;
}
When accessing http://192.168.1.103/test/this URL, the normal situation should traverse html/test/this directory, but if Access http://192.168.1.103/test. /This URL, it will traverse the previous level directory html/.
should read
location/test {
Alias Html/test;
AutoIndex on;
}
Or
location/test/{
Alias html/test/;
AutoIndex on;
}
or disable the AutoIndex module directly.
Choice of Nginx version
- About Nginx security vulnerabilities can be concerned about the official Nginx security bulletin or to some other vulnerability publishing platform to find.
- It is recommended to use a custom installation path when installing Nginx, and if the default installation path is used, it is easy to be guessed by the attacker and some automated attack tools to facilitate the next attack.
- When choosing an nginx version, you need to be concerned about security vulnerabilities and version stability. Generally choose the latest stable version, which can strike a balance between stability and security.
Modify/Hide Nginx Banner Information Log security
- Modify the default save path for the log, and then set the security control permission to allow only administrators to have the log directory.
Nginx permission settings
- To nginx a lower authority than the identity run, you can modify the nginx.conf to adjust. Application servers, databases should also follow this principle.
Turn off server tagging
- If enabled (default is on), all error pages will display the server's version and information.
Set a custom cache to prevent buffer overflow attacks
Web server and Application Server directory permission setting principle if the directory has Write permission, do not assign execute permission;
- For example, the site upload directory and database directory generally need to assign write permissions, but must not assign execute permissions.
If the directory has execute permissions, do not assign write permissions, the general directory only need to allocate read permissions, application server and database deployed on different servers; The file owner differs from the application server process owner (the general settings file is the master root); The control script only runs to access files under the Application project directory
E-commerce Web site internet Security Defense Raiders