Some security problems that should not be neglected in the background of website

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Now most of the site is static generation, generally speaking, as long as we do a good job in the background of the security site, is not a big problem. Therefore, the security of the background is easy to ignore, to do a good job in the background of the security site, we must do the following points

1. Is the background username and password saved in plaintext?

It is recommended that the nickname field be added to distinguish the user in the background, while the user name and password are MD5 encrypted, such as after the 15-bit string is intercepted.

2, whether the management members have the right to divide

Once the permissions are not divided, an edit user's account theft can also have disastrous consequences for you

3, whether has the management log function

The management log must not be deleted in the last few days, which is an important basis for analyzing intruders ' intrusion techniques.

4, backstage entrance is secret

Do not foolishly expose the entrance to the foreground page, or use a background entry address that is easily guessed.

5. Does the background page use the meta-robots protocol to limit search engine crawling

Google Toolbar, Baidu toolbar, or inadvertently appear in the background link may cause your background page was found by search engines, this time in the meta to write to prohibit the capture of the statement is a wise choice, but, do not write the background address to robots.txt, referring to the 4th.

6, the management of the page has been done to prevent injection

Careless programmers tend to consider only the injection of the front page.

7. Access has custom database backup capabilities

This is the most notorious feature of the asp+access system, and custom database backups allow intruders to easily get Webshell

8. Is there a custom SQL statement execution function

With the 7th.

9, whether to open the online modify template function

If it is not necessary, it is recommended that you do not open it to prevent easy insertion of cross-site scripting.

10. Directly display the data submitted by the user

Any time, the user's input is not credible, imagine if the other side entered a malicious JS, and you do not have any protection in the background under the circumstances to open?

11, the editor's vulnerabilities are cleared, whether the meaningless function has been removed.

The most famous example is Ewebeditor database vulnerabilities, default username password vulnerabilities, etc.

For the security of the site backstage, any part of the negligence can lead to disastrous consequences, site security, heavy responsibilities, we must always pay attention to.

Articles from http://www.920574.cn reprint please keep