security-patterns
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Patterns
安全模式
Essential security patterns for web applications.
Web应用必备的安全模式。
OWASP Top 10 Quick Reference
OWASP Top 10 速查参考
| Rank | Vulnerability | Prevention |
|---|---|---|
| A01 | Broken Access Control | Check permissions server-side, deny by default |
| A02 | Cryptographic Failures | Use TLS, hash passwords, encrypt sensitive data |
| A03 | Injection | Parameterized queries, validate input |
| A04 | Insecure Design | Threat modeling, secure defaults |
| A05 | Security Misconfiguration | Harden configs, disable unused features |
| A06 | Vulnerable Components | Update dependencies, audit regularly |
| A07 | Auth Failures | MFA, rate limiting, secure session management |
| A08 | Data Integrity Failures | Verify signatures, use trusted sources |
| A09 | Logging Failures | Log security events, protect logs |
| A10 | SSRF | Validate URLs, allowlist destinations |
| 排名 | 漏洞类型 | 预防措施 |
|---|---|---|
| A01 | 访问控制失效 | 在服务器端检查权限,默认拒绝所有请求 |
| A02 | 加密机制失败 | 使用TLS,哈希密码,加密敏感数据 |
| A03 | 注入攻击 | 使用参数化查询,验证输入 |
| A04 | 不安全设计 | 进行威胁建模,采用安全默认配置 |
| A05 | 安全配置错误 | 加固配置,禁用未使用功能 |
| A06 | 易受攻击的组件 | 定期更新依赖项,进行审计 |
| A07 | 身份认证失败 | 启用多因素认证(MFA),设置速率限制,安全管理会话 |
| A08 | 数据完整性失败 | 验证签名,使用可信数据源 |
| A09 | 日志记录失败 | 记录安全事件,保护日志数据 |
| A10 | SSRF | 验证URL,使用白名单指定目标地址 |
Input Validation
输入验证
python
undefinedpython
undefinedWRONG - Trust user input
WRONG - Trust user input
def search(query):
return db.execute(f"SELECT * FROM users WHERE name = '{query}'")
def search(query):
return db.execute(f"SELECT * FROM users WHERE name = '{query}'")
CORRECT - Parameterized query
CORRECT - Parameterized query
def search(query):
return db.execute("SELECT * FROM users WHERE name = ?", [query])
undefineddef search(query):
return db.execute("SELECT * FROM users WHERE name = ?", [query])
undefinedValidation Rules
验证规则
Always validate:
- Type (string, int, email format)
- Length (min/max bounds)
- Range (numeric bounds)
- Format (regex for patterns)
- Allowlist (known good values)
Never trust:
- URL parameters
- Form data
- HTTP headers
- Cookies
- File uploads始终要验证:
- 类型(字符串、整数、邮箱格式)
- 长度(最小/最大限制)
- 范围(数值边界)
- 格式(使用正则匹配模式)
- 白名单(已知合法值)
绝不要信任:
- URL参数
- 表单数据
- HTTP请求头
- Cookie
- 文件上传Output Encoding
输出编码
javascript
// WRONG - Direct HTML insertion
element.innerHTML = userInput;
// CORRECT - Text content (auto-escapes)
element.textContent = userInput;
// CORRECT - Template with escaping
render(`<div>${escapeHtml(userInput)}</div>`);javascript
// WRONG - Direct HTML insertion
element.innerHTML = userInput;
// CORRECT - Text content (auto-escapes)
element.textContent = userInput;
// CORRECT - Template with escaping
render(`<div>${escapeHtml(userInput)}</div>`);Encoding by Context
按场景选择编码方式
| Context | Encoding |
|---|---|
| HTML body | HTML entity encode |
| HTML attribute | Attribute encode + quote |
| JavaScript | JS encode |
| URL parameter | URL encode |
| CSS | CSS encode |
| 场景 | 编码方式 |
|---|---|
| HTML主体 | HTML实体编码 |
| HTML属性 | 属性编码+引号包裹 |
| JavaScript | JS编码 |
| URL参数 | URL编码 |
| CSS | CSS编码 |
Authentication
身份认证
python
undefinedpython
undefinedPassword hashing (use bcrypt, argon2, or scrypt)
Password hashing (use bcrypt, argon2, or scrypt)
import bcrypt
def hash_password(password: str) -> bytes:
return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
def verify_password(password: str, hashed: bytes) -> bool:
return bcrypt.checkpw(password.encode(), hashed)
undefinedimport bcrypt
def hash_password(password: str) -> bytes:
return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
def verify_password(password: str, hashed: bytes) -> bool:
return bcrypt.checkpw(password.encode(), hashed)
undefinedAuth Checklist
身份认证检查清单
- Hash passwords with bcrypt/argon2 (cost factor 12+)
- Implement rate limiting on login
- Use secure session tokens (random, long)
- Set secure cookie flags (HttpOnly, Secure, SameSite)
- Implement account lockout after failed attempts
- Support MFA for sensitive operations
- 使用bcrypt/argon2哈希密码(成本因子≥12)
- 对登录接口设置速率限制
- 使用安全的会话令牌(随机、长字符)
- 设置安全Cookie标记(HttpOnly、Secure、SameSite)
- 多次登录失败后锁定账户
- 敏感操作支持多因素认证(MFA)
Authorization
授权
python
undefinedpython
undefinedWRONG - Check only authentication
WRONG - Check only authentication
@login_required
def delete_post(post_id):
post = Post.get(post_id)
post.delete()
@login_required
def delete_post(post_id):
post = Post.get(post_id)
post.delete()
CORRECT - Check authorization
CORRECT - Check authorization
@login_required
def delete_post(post_id):
post = Post.get(post_id)
if post.author_id != current_user.id and not current_user.is_admin:
raise Forbidden("Not authorized to delete this post")
post.delete()
undefined@login_required
def delete_post(post_id):
post = Post.get(post_id)
if post.author_id != current_user.id and not current_user.is_admin:
raise Forbidden("Not authorized to delete this post")
post.delete()
undefinedSecrets Management
密钥管理
bash
undefinedbash
undefinedWRONG - Hardcoded secrets
WRONG - Hardcoded secrets
API_KEY = "sk-1234567890abcdef"
API_KEY = "sk-1234567890abcdef"
CORRECT - Environment variables
CORRECT - Environment variables
API_KEY = os.environ["API_KEY"]
API_KEY = os.environ["API_KEY"]
BETTER - Secrets manager
BETTER - Secrets manager
API_KEY = secrets_client.get_secret("api-key")
undefinedAPI_KEY = secrets_client.get_secret("api-key")
undefinedSecret Handling Rules
密钥处理规则
DO:
- Use environment variables or secrets manager
- Rotate secrets regularly
- Use different secrets per environment
- Audit secret access
DON'T:
- Commit secrets to git
- Log secrets
- Include secrets in error messages
- Share secrets in plain text应当:
- 使用环境变量或密钥管理工具
- 定期轮换密钥
- 不同环境使用不同密钥
- 审计密钥访问记录
禁止:
- 将密钥提交到git仓库
- 记录密钥信息
- 在错误信息中包含密钥
- 明文分享密钥Security Headers
安全响应头
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()Quick Security Audit
快速安全审计
bash
undefinedbash
undefinedFind hardcoded secrets
Find hardcoded secrets
rg -i "(password|secret|api_key|token)\s*=\s*['"][^'"]+['"]" --type py
rg -i "(password|secret|api_key|token)\s*=\s*['"][^'"]+['"]" --type py
Find SQL injection risks
Find SQL injection risks
rg "execute(f['"]|format(" --type py
rg "execute(f['"]|format(" --type py
Find eval/exec usage
Find eval/exec usage
rg "\b(eval|exec)\s*(" --type py
rg "\b(eval|exec)\s*(" --type py
Check for TODO security items
Check for TODO security items
rg -i "TODO.*security|FIXME.*security"
undefinedrg -i "TODO.*security|FIXME.*security"
undefinedAdditional Resources
额外资源
- - Full OWASP Top 10 details
./references/owasp-detailed.md - - JWT, OAuth, session management
./references/auth-patterns.md - - Encryption, hashing, signatures
./references/crypto-patterns.md - - HTTP security headers guide
./references/secure-headers.md
- - OWASP Top 10 详细说明
./references/owasp-detailed.md - - JWT、OAuth、会话管理
./references/auth-patterns.md - - 加密、哈希、签名
./references/crypto-patterns.md - - HTTP安全响应头指南
./references/secure-headers.md
Scripts
脚本工具
- - Quick security grep patterns
./scripts/security-scan.sh - - Check for vulnerable dependencies
./scripts/dependency-audit.sh
- - 快速安全 grep 扫描规则
./scripts/security-scan.sh - - 检查易受攻击的依赖项
./scripts/dependency-audit.sh