Business Function Security Points Notes 1

Others 2022-05-23 11:47:36 views: 0
Verification code:
 1. Set the number of verification code errors, one verification code can only be verified once.
2. The real information of the verification code is placed in the session.
3. The SMS code and email verification code should be more than 6 digits, a combination of numbers and letters, and the picture verification code should be added with interference lines.

User login:
 1. The number of incorrect passwords of users in a single time period is limited.
2. Limit the number of login errors with the same IP, and limit the login of batch users (enterprises, schools and other institutions need to set a whitelist).

API login:
 1. Set the login key and bind the current host.
2. The login key clientKey needs to be unpredictable, and random numbers are added to the key generation algorithm.
3. It is forbidden to be included by search engines.

User registration:
 1. Design verification code.
2. Use the unique identification code of the user's machine to intercept multiple registrations in a short period of time.
3. Self-learning to identify junk accounts according to the account format (this function requires in-depth study).
4. SQL injection, XSS vulnerability.

Password retrieval:
 1. The mobile phone number or mailbox that accepts the verification code cannot be controlled by the user, and is read from the database.
2. Strengthen the complexity of the verification code to prevent brute force cracking.
3. Limit the number of SMS code errors. If a single user makes 3 errors within 30 minutes, it is forbidden to retrieve the password within half an hour.
4. SMS code timeout time.
5. Set the picture verification code where the SMS code is obtained to prevent SMS bombing and batch retrieval.
6. Verify whether the credentials sent by the sign-in belong to the user (whether the credentials match the user id and user name).

Data view:
 1. Verify user permissions (bind transaction flow and address information with users).
2. Store user information in the session, not in the request, to prevent attackers from modifying the user id.

Voting/Points/Lottery
 1. Prevent batch registration.
2. Machine identification code verification, each machine generates a unique identification code based on hardware information.
3. The user needs to log in and save the user information in the session.

Recharge payment
Prevent the client from modifying the unit price, total price and purchase quantity, and making multiple purchases using the time difference (mobile phone swiping QQ drill)
1. Ensure that the data is credible, and the unit price and total price of the product cannot be obtained from the client.
2. The number of items must be greater than 0.
3. Payment locking mechanism, when a payment operation starts, the current account should be locked immediately, and two requests cannot operate on the balance at the same time.


Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326757483&siteId=291194637
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com