Security issues to be aware of when developing a website

Original address: http://kk-kingboy.blog.163.com/blog/static/55354561200911313145623/

Due to the fact that the site is more black, the following summarizes the website application needs to pay attention to the security issues:

form data validation
The data must be validated before the data is entered into the program. Illegal input issues are the most common Web application security vulnerabilities.
Need to do: check any input content. Accept all acceptable content and reject all unacceptable content.
All submitted form data must be validated two times, that is, before submission on the client with JavaScript authentication, after submission on the server side with the script to verify again, to ensure the legitimacy of the data. Especially for required fields, you need to verify that input is not only done at both the client and the server, but also that the input data is in the correct format. It is important to note that JavaScript validation on the client is not a real-world check. For example, it is easy for a malicious user to disable script execution on his or her terminal, thus preventing the client's content check script from running, allowing him to enter malicious code and successfully submit the form. For the image upload function, it is necessary to verify the format and size of the uploaded image in accordance with the requirements.

Prevent SQL Statement injection attacks
The program needs to filter all data received from the outside to prevent malicious attacks. The main defensive characters are "' |script|exec|insert|select|delete|update|count|chr|mid|master|truncate|declare".
Use positive filtering instead of negative filtering. In other words, check what should be entered instead of checking what should not be entered.

Only specify what should not be entered, leaving too many loopholes. Because there is a lot of content that should not be entered. The active filtering method should include:
? is empty (you need to remove the space after the decision)
? Is the correct data type (string, integer, etc.)
? Whether a parameter is required
? Whether character encoding allows
? Whether the input content reaches the maximum or minimum limit of the content length
? Allow null values to be entered
? If you should enter a number, determine the range of the number size.
? Whether the input causes duplication of data and, if so, whether it is acceptable.
? Whether the input conforms to the formatting requirements (for example, if regular expressions are used)
? If the content is selected from the drop-down list, make sure it contains a valid value

Address bar variables need to be validated
For variables received from the address bar, you must verify their legitimacy. For example, if you receive an article ID value from the Address bar, you need to verify that the ID is a number, that there is an attack character, and so on.

Prevention of cross-site attack
When validating the submitted data, to prevent cross-site attacks, you can check whether the previous page is the site, in addition, filter <iframe>, <javascript>, <alert>, focus on "<" to replace "&lt;", the ">" is replaced with "&gt;"

Security of directories and folders
Users can only access content under the Site directory, ensuring that users cannot access directories other than the site directory.
Where the file is contained in the program, verify that all the files contained are in the correct location. In order to prevent illegal inclusion of files, special care should be taken "./" or ". /"use.

Background All program pages need to do authorization verification
If you do not log in successfully, you are not allowed to access any of the daemon pages. If the session is verified, the session validity period can not be too long, the proposal is 15 minutes.
After a successful login, you need to verify that you have permission for an operation.

Key information needs to be encrypted
For key information such as password, session token, and so on, it needs to be encrypted and then saved to the database, which is not allowed in clear text mode. Generally use MD5 encryption method.

Configuration file Security
The configuration file in the program (which focuses on the database connection configuration) needs to be focused on security, the profile cannot be accessed directly by the user, the profile file extension cannot be. Inc,. txt, and must be an executable script extension, such as. asp,. php,. jsp,. aspx ...

Database security
Database files need to focus on security, for programs that use Access databases, you can not allow the database to be downloaded directly from the browser, the path and file name of the database file need not be easy to guess, the database file extension cannot be. mdb. You can set up the server to disallow this type of file download.
Use least privilege to restrict the permissions of the database user. If you use SQL Server or MySQL database, you can consider only to browse users to read permissions, background users to read, write and delete permissions.

Release of resources
After a critical resource is used in a program, it must be explicitly released and closed, especially for resources such as database connections, file handles, and so on.

Prevent excessive and detailed error hints
Attackers often deliberately enter the wrong content, and then analyze the error messages given by the system, and obtain system information from them, and discover possible vulnerabilities. For users who use an Access database, overly detailed error hints may expose the path to the database file.

Friendly Operation Feedback Tips
For the process of operation, you need to give users the user's action with friendly feedback prompts, let the user know their own operation whether there is a problem, where the problem. For example, the member registration form, if the user submitted, forget to fill in some items, can be in the eye-catching color to prompt, prompt display best with Ajax technology to achieve no refresh effect, improve the user experience. The background of the program for some operations, such as Delete, audit, you must let the user confirm to be able to execute. Regardless of the success or failure of the user operation, you need to give the prompt information.

Use of verification codes
For user registration, user login, questionnaire, online feedback, comments and other procedures, need to add a verification code, to prevent the robot bypass limit to submit spam information.

Security issues to be aware of when developing a website