1:Content-Security-Policy
Content Security Policy is a new Security mechanism developed by Mozilla to improve browser Security. This mechanism allows websites to define Content Security policies and clearly inform browsers of which Content is legal, this allows the browser to avoid malicious content. CSP mainly locks network application vulnerabilities such as XSS and Cross Site Request Forgery. We strongly recommend that you enable this alarm so that you can see which data is doing bad things.
On the Web, this policy is defined through the HTTP header or meta element. The two methods do not exist in the Chrome extension system. Extensions are defined through the manifest. json file:
{
...,
"Content_security_policy": "[policy string goes here]"
...
}
For more information about CSP syntax, see W3C Content Security Policy specifications.
2: SetX-Frame
All modern browsers support the X-Frame-Options HTTP header, which allows the page to be rendered normally when used by iframe. By using the X-FRAME-OPTIONS directive, Web developers can immediately help IE8 users mitigate the threat from various Web application attacks.
Using X-Frame-Options has two possible values:
DENY: The page cannot be displayed in a framework.
SAMEORIGHT: The page can only be displayed in the frame of this website. in other words, if you use the <IFRAME>/<FRAME> framework to load a page, you will not only attempt to load the page in a framework, but also fail to load other websites. On the other hand, if you specify SAMEOptions ORIGHT, loading on other websites will fail.
3: PreventCSRFCross-Site attack
We recommend that you add random tokens to each form verification to prevent users from being attacked by CSRF. For CSRF cross-site request attack protection, I wrote a detailed article on FREEBUF. For details, refer
4:DAL (data/database access layer)
DALS labels.
5: File System prohibit writing
Correctly set the CONFIG file. Users who set the website cannot write files to the file system.
6: Security Log audit
The log information can quickly help users find traces of attackers. Some log analysis systems can analyze IIS, APACHE, NGINX, WINDOWS, LINUX, and other logs in real time, for example, OSSEC and ZABBIX are used to construct an attack feature library and generate an alert immediately when an attack behavior is detected.
7: Encrypted Storage
As can be seen from the previous cases where CSDN and century jiayuan were deprecated, many sites still store user passwords in plain text and adopt an outdated HASH algorithm, attackers can easily obtain user-related information. Many functions of some sites depend on the existing database design and related structured data, which makes it very difficult to modify users' hash algorithms in the future.
8:SSL,COOKIESetHTTPONLYAndSTS
Any website that does not support SSL encrypted transmission is vulnerable to man-in-the-middle attacks. HTTPONLY and STS are not set for cookies, and they are vulnerable to cross-site attacks.
9: Build a security framework
Build a security framework suitable for enterprises. When programmers write programs, they call the security framework to filter all harmful user input, such as XSS, SQLI, and command injection, security risks can be reduced to a certain extent.
10: SetAutocomplete = offStrong Password
The AutoComplete control means that when you input the first few letters or Chinese characters in the text box, the control can prompt the user all the data starting with these letters from the text or database that stores the data, for your convenience. However, it is convenient and may also bring certain security risks. Attackers may obtain some historical information, such as passwords, typed by users.