web-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseWeb Security
Web安全
We treat web security as a core requirement, not an afterthought.
Assume hostile input and untrusted environments by default.
我们将Web安全视为核心要求,而非事后补充。
默认假设输入具有恶意,环境不可信。
Core Principles
核心原则
- NEVER trust user input
- ALWAYS validate and sanitize data at boundaries
- Prefer secure defaults over configurability
- 绝不信任用户输入
- 始终在边界处验证和清理数据
- 优先选择安全默认配置而非可配置性
XSS & Injection
XSS与注入攻击
- AVOID and raw HTML injection
dangerouslySetInnerHTML - Escape and encode dynamic content properly
- Never interpolate untrusted data into HTML, CSS, or JS contexts
- Ensure SQL injection protection
- 避免使用和原始HTML注入
dangerouslySetInnerHTML - 正确转义和编码动态内容
- 绝不要将不可信数据插入到HTML、CSS或JS上下文当中
- 确保防护SQL注入
Authentication & Authorization
身份认证与授权
- Do not store secrets or tokens in insecure locations
- AVOID localStorage for sensitive credentials when possible
- Use HTTP-only, secure cookies where applicable
- Always enforce authorization on the server
- 不要在不安全的位置存储密钥或令牌
- 尽可能避免使用localStorage存储敏感凭证
- 适用时使用HTTP-only、安全的Cookie
- 始终在服务器端强制执行授权验证
Browser Security APIs
浏览器安全API
- Respect CORS, CSP, and browser security boundaries
- Use Content Security Policy to restrict script and resource execution
- Avoid inline scripts and styles when CSP is enabled
- 遵循CORS、CSP和浏览器安全边界
- 使用Content Security Policy(内容安全策略)限制脚本和资源的执行
- 启用CSP时避免使用内联脚本和样式
Data Handling
数据处理
- Minimize data exposure
- Do not log sensitive information
- 最小化数据暴露
- 不要记录敏感信息
Dependencies & Supply Chain
依赖项与供应链
- Avoid unnecessary packages
- Treat third-party code as untrusted input
- 避免不必要的包
- 将第三方代码视为不可信输入
General Principles
通用原则
- Simplicity reduces attack surface
- If unsure, choose the more restrictive option
- 简洁性可减少攻击面
- 若有疑问,选择更具限制性的方案