Password requirements:
-
Password does not contain a continuous string
-
Password does not contain personal information, company information, easy to guess sensitive string of solution (to prevent the password is guessed)
-
Password length of not less than eight (increase the difficulty of guessing bag)
-
Do not use the default password or empty password
-
Use capital letters (AZ), lowercase letters (az), numbers (0-9) and special characters password should be set policies defined in the system password.
-
Regular replacement password
Refer to the following "Big God" Password, fast learning interesting set a strong password -
-
ppnn13% dkstFeb.1st - Ping Ping curl more than thirteen, cardamom Shaotou early February
-
Tree_0f0 = sprintf ( "2_Bird_ff0 / a") - two Oriole Ming Tsui Lau
-
csbt34.ydhl12s - Ikegami Bi moss three or four points, the bottom of a twice Oriole
-
? Hold fish: palm - fish and bear's paw can not have both
-
FLZX3000cY4yhx9day - waterfalls three thousand feet, suspected Galaxy nine days
Web application security business self-examination checklist
Business functions | Self-examination and security items | Level of risk |
---|---|---|
log in | 1, do not use weak passwords! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Set complex passwords. | high |
2, log function should use secondary authentication mechanisms such as authentication code and verification code should fail to refresh after each login success or failure; | in | |
3, such as passwords and other sensitive information to be encrypted transmission; | in | |
4, the system should be outside the network login information using https transmission; | high | |
5, user login failure message should be "user name or password is incorrect" / "login failed" and other vague tips | low | |
registered | 1. The secondary should review mechanisms, such as phone / email and other ways to verify; | high |
2. SMS interfaces should limit the frequency of requests for the same phone number; | low | |
recover password | 1. audit mechanism should be secondary, such as verifying the phone / mail, etc., can not be modified need to verify the phone number / email and so on; | high |
2. SMS interfaces should limit the frequency of requests for the same phone number; | low | |
3. At each step should be to determine the legitimacy of the link-by-step; | in | |
sign out | 1.session authentication session should configure expiration time is generally recommended 60min; | low |
2. Click the withdrawal shall be destroyed after the server authentication session, the client cookie expires in Log; | in | |
Upload | 1. upload the file suffix should be used to limit the file type whitelisting business needs; | high |
2. should limit the upload directory permissions do not allow the upload directory and given execute permissions for uploaded files; | in | |
download | 1. Download directory should be defined within a fixed directory, is not allowed to operate across a path like ../../ directory access other files; | high |
2. sensitive resources should control access, allowing only role has authorized download; | high | |
Demand for cross-domain interfaces | When using cross-domain CORS, CORS security configuration: | |
Should be set to 1. Access-Control-Allow-Origin and Origin domain whitelist; | in | |
2. Only need to carry cookies, allowed to set Access-Control-Allow-Credentials header, and must be refined Origin whitelist provided. | high | |
JSONP Interface: | ||
1. You must use a whitelist request strictly limited sources referer; | high | |
Network resources call | 1. should be defined to allow whitelisting called URL, a request for a particular should be strictly limited within the network; | high |
Call system commands | 1. At the whitelist defined command allows the system call; | high |
Sensitive user interface | 1. At the whitelist or increased restriction request source referer initiator of the request token to verify the identity of mechanisms; | high |
2. Application of the operation log to be recorded; | in | |
3. sensitive user interface, such as payment orders, use pessimistic locking or optimistic locking to ensure transaction ACID properties, concurrency solve the competition problem; | high | |
4. sensitive resources operations, should check the server resource identification to the person who is consistent with the currently logged in person; | high | |
Vulnerability scanning | 1. Before scanning tools should be used on the line scan test to determine no vulnerabilities and security risks; | have to |
Code Security Audit | 1. On the front line of code scanning tools should be used to scan, determine no vulnerabilities and security risks; | have to |
Data Security | data processing: | |
User controllable input 1. Echo and eventually output to the data page, security companies use security encoded components escape before outputting; | in | |
2.应将SQL语句预编译处理,未能预编译处理的语句如order by子句应使用白名单控制用户允许的输入; | 高 | |
3.应在前端对敏感字段(如手机号、身份证、银行卡号)脱敏展示; | 中 | |
数据传输: | ||
1.外网系统应使用https传输数据; | 中 | |
2.敏感字段应脱敏/加密处理; | 中 | |
数据存储: | ||
1.日志中不应包含明文或未脱敏敏感数据; | 低 | |
2.敏感数据应加密存储; | 中 |