Some security problems that should not be neglected in the background of website

Source: Internet
Author: User

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Now most of the site is static generation, generally speaking, as long as we do a good job in the background of the security site, is not a big problem. Therefore, the security of the background is easy to ignore, to do a good job in the background of the security site, we must do the following points

1. Is the background username and password saved in plaintext?

It is recommended that the nickname field be added to distinguish the user in the background, while the user name and password are MD5 encrypted, such as after the 15-bit string is intercepted.

2, whether the management members have the right to divide

Once the permissions are not divided, an edit user's account theft can also have disastrous consequences for you

3, whether has the management log function

The management log must not be deleted in the last few days, which is an important basis for analyzing intruders ' intrusion techniques.

4, backstage entrance is secret

Do not foolishly expose the entrance to the foreground page, or use a background entry address that is easily guessed.

5. Does the background page use the meta-robots protocol to limit search engine crawling

Google Toolbar, Baidu toolbar, or inadvertently appear in the background link may cause your background page was found by search engines, this time in the meta to write to prohibit the capture of the statement is a wise choice, but, do not write the background address to robots.txt, referring to the 4th.

6, the management of the page has been done to prevent injection

Careless programmers tend to consider only the injection of the front page.

7. Access has custom database backup capabilities

This is the most notorious feature of the asp+access system, and custom database backups allow intruders to easily get Webshell

8. Is there a custom SQL statement execution function

With the 7th.

9, whether to open the online modify template function

If it is not necessary, it is recommended that you do not open it to prevent easy insertion of cross-site scripting.

10. Directly display the data submitted by the user

Any time, the user's input is not credible, imagine if the other side entered a malicious JS, and you do not have any protection in the background under the circumstances to open?

11, the editor's vulnerabilities are cleared, whether the meaningless function has been removed.

The most famous example is Ewebeditor database vulnerabilities, default username password vulnerabilities, etc.

For the security of the site backstage, any part of the negligence can lead to disastrous consequences, site security, heavy responsibilities, we must always pay attention to.

Articles from http://www.920574.cn reprint please keep

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.