Home > Developer > Web Develop

Web Security Records

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Front

CSRF Cross-site request forgery
Client adds pseudo-random number, background verification
Verification Code
Middleman attack
SSL Certificate Encryption
XSS (cross-site Scripting attack) vulnerability, Microsoft character Verification (automatic)
Text Presentation encoding Processing
Make the text of the label display especially filter the script
Cookie HttpOnly
HttpOnly in the case of JS can not operate cookies, under certain circumstances can guarantee security
Domain settings
Cookie domain matching (domian match) Principle: domain-shaped cookies, such as. abc.com, are sent to all abc.com subdomain requests on port 80. otherwise not.
Minimize authorization
Secure enables this property, the browser only sends cookies in HTTPS requests
Cookie Basics
The name cannot contain special characters and can be transcoded after transcoding
Values can be transcoded or encrypted
Expires expiration Time, GMT format, no time to close the browser when automatically deleted,
Path allowed, "/" means full station
Domain subdomain,
Secure can only be accessed with HTTPS if enabled
HttpOnly script (Js,applet) cannot read to cookie information

Background

SQL injection
Precompiled statement, which is the data entered by the client as a parameter in SQL, not directly splicing
Turn off error display to avoid leaking program structure
Database Connection account permissions restrictions (separate database data additions and deletions)
File Upload
Suffix name judgment (restricted in picture format)
Determine the first two characters of a file, such as the first two binary characters of PNG 8950,jpg to Ffd8
Get width,height <=0 masking with picture class initialization
File Rename (default does not show directory, renamed, attacker is very accessible)
Certified Session Management
Password length, combination, encryption processing, 3 times after verification code, up to 5 times IP, payment password, SMS verification code
Session Expiration Time
Access Rights control
Background permission system, role-function point

Web Security Records

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More