Back to Details

security-hardening

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Hardening & Secure Coding

安全加固与安全编码

Comprehensive security hardening and secure coding practices to prevent common vulnerabilities.
本文提供全面的安全加固与安全编码实践,用于防范常见漏洞。

OWASP Top 10 (2021)

OWASP Top 10 (2021)

1. Broken Access Control

1. 访问控制失效

  • Implement proper authorization
  • Use role-based access control (RBAC)
  • Verify permissions on every request
  • 实施恰当的授权机制
  • 使用基于角色的访问控制(RBAC)
  • 对每个请求验证权限

2. Cryptographic Failures

2. 加密机制失效

  • Use strong encryption (AES-256)
  • Protect sensitive data in transit (TLS)
  • Never hardcode secrets
  • 使用强加密算法(AES-256)
  • 保护传输中的敏感数据(TLS)
  • 切勿硬编码密钥

3. Injection

3. 注入攻击

  • Use parameterized queries for SQL
  • Validate and sanitize all inputs
  • Use ORM frameworks
  • 对SQL使用参数化查询
  • 验证并清理所有输入
  • 使用ORM框架

4. Insecure Design

4. 不安全设计

  • Threat modeling during design
  • Secure by default principles
  • Regular security reviews
  • 在设计阶段进行威胁建模
  • 遵循默认安全原则
  • 定期开展安全评审

5. Security Misconfiguration

5. 安全配置错误

  • Keep dependencies updated
  • Remove default credentials
  • Disable unnecessary features
  • 保持依赖项更新
  • 移除默认凭据
  • 禁用不必要的功能

6. Vulnerable Components

6. 易受攻击的组件

  • Regular dependency audits
  • Use vulnerability scanning tools
  • Keep frameworks and libraries updated
  • 定期审计依赖项
  • 使用漏洞扫描工具
  • 保持框架与库的更新

7. Authentication & Session Failures

7. 身份认证与会话管理失效

  • Strong password policies
  • Multi-factor authentication
  • Secure session management
  • 强密码策略
  • 多因素认证(MFA)
  • 安全的会话管理

8. Software & Data Integrity Failures

8. 软件与数据完整性失效

  • Verify package integrity
  • Use signed commits
  • Implement secure CI/CD
  • 验证包完整性
  • 使用签名提交
  • 实施安全的CI/CD流程

9. Logging & Monitoring Failures

9. 日志与监控失效

  • Log security events
  • Monitor for suspicious activity
  • Regular security audits
  • 记录安全事件
  • 监控可疑活动
  • 定期开展安全审计

10. SSRF

10. SSRF(服务器端请求伪造)

  • Validate URLs and redirects
  • Restrict outbound requests
  • Network-level controls
  • 验证URL与重定向
  • 限制出站请求
  • 网络层面的控制

Secure Coding Practices

安全编码实践

Input Validation

输入验证

javascript
// Bad
const id = req.query.id;
const user = db.query(`SELECT * FROM users WHERE id = ${id}`);

// Good
const id = parseInt(req.query.id, 10);
if (!Number.isInteger(id) || id < 1) {
  throw new Error('Invalid ID');
}
const user = db.query('SELECT * FROM users WHERE id = ?', [id]);
javascript
// Bad
const id = req.query.id;
const user = db.query(`SELECT * FROM users WHERE id = ${id}`);

// Good
const id = parseInt(req.query.id, 10);
if (!Number.isInteger(id) || id < 1) {
  throw new Error('Invalid ID');
}
const user = db.query('SELECT * FROM users WHERE id = ?', [id]);

Output Encoding

输出编码

javascript
// Bad
const html = `<div>${userName}</div>`;

// Good (escapes HTML)
const escapeHtml = (str) => str
  .replace(/&/g, '&amp;')
  .replace(/</g, '&lt;')
  .replace(/>/g, '&gt;')
  .replace(/"/g, '&quot;');
const html = `<div>${escapeHtml(userName)}</div>`;
javascript
// Bad
const html = `<div>${userName}</div>`;

// Good (escapes HTML)
const escapeHtml = (str) => str
  .replace(/&/g, '&amp;')
  .replace(/</g, '&lt;')
  .replace(/>/g, '&gt;')
  .replace(/"/g, '&quot;');
const html = `<div>${escapeHtml(userName)}</div>`;

Secure Headers

安全标头

Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000

Security Checklist

安全检查清单

  • All inputs validated and sanitized
  • Parameterized queries used (no SQL injection)
  • Sensitive data encrypted (TLS, at-rest)
  • Strong authentication (MFA, strong passwords)
  • CORS properly configured
  • CSRF tokens used
  • Security headers set
  • Dependencies audited regularly
  • Error messages don't leak info
  • Logging captures security events
  • Secrets not in code/logs
  • Regular security testing
  • 所有输入均已验证并清理
  • 使用参数化查询(防范SQL注入)
  • 敏感数据已加密(传输中用TLS,存储时加密)
  • 强身份认证(MFA、强密码)
  • 正确配置CORS
  • 使用CSRF令牌
  • 设置安全标头
  • 定期审计依赖项
  • 错误信息不泄露敏感信息
  • 日志记录捕获安全事件
  • 密钥未嵌入代码/日志中
  • 定期开展安全测试

Tools & Utilities

工具与实用程序

  • npm audit
    / 
    pip check
    - Dependency scanning
  • OWASP ZAP / Burp Suite - Penetration testing
  • Snyk - Vulnerability scanning
  • SonarQube - Code quality and security
  • TruffleHog - Secret scanning
  • npm audit
    / 
    pip check
    - 依赖项扫描
  • OWASP ZAP / Burp Suite - 渗透测试
  • Snyk - 漏洞扫描
  • SonarQube - 代码质量与安全检测
  • TruffleHog - 密钥扫描

References

参考资料

  • OWASP Top 10
  • OWASP Cheat Sheets
  • CWE/SANS Top 25
  • NIST Cybersecurity Framework
  • Google Styleguide Code Review Security
  • OWASP Top 10
  • OWASP Cheat Sheets
  • CWE/SANS Top 25
  • NIST网络安全框架
  • Google 代码评审安全指南