Loading...

Back to Details

security-best-practices

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Best Practices

安全最佳实践

Apply these security principles when developing backend services, microservices, and any code handling sensitive data or external inputs.

在开发后端服务、微服务以及任何处理敏感数据或外部输入的代码时，请遵循以下安全原则。

Input Validation and Sanitization

输入验证与清理

Apply input validation and sanitization rigorously, especially on inputs from external sources
Validate all user inputs at the boundary of your application
Use allowlists over denylists when validating input
Sanitize data before storing or displaying to prevent injection attacks
Implement strict type checking and schema validation

严格执行输入验证与清理，尤其是来自外部来源的输入
在应用程序边界处验证所有用户输入
验证输入时优先使用允许列表而非拒绝列表
在存储或显示数据前进行清理，以防止注入攻击
实施严格的类型检查和模式验证

Authentication and Authorization

身份认证与授权

Use secure defaults for JWT, cookies, and configuration settings
Implement proper token expiration and refresh mechanisms
Store secrets securely using environment variables or secret management services
Never hardcode credentials or API keys in source code
Use secure password hashing algorithms (bcrypt, Argon2)

为JWT、Cookie和配置设置使用安全默认值
实现完善的令牌过期与刷新机制
使用环境变量或密钥管理服务安全存储密钥
切勿在源代码中硬编码凭证或API密钥
使用安全的密码哈希算法（bcrypt、Argon2）

Permission Boundaries

权限边界

Isolate sensitive operations with clear permission boundaries
Apply the principle of least privilege throughout the system
Implement role-based access control (RBAC) where appropriate
Audit and log access to sensitive resources
Use separate service accounts for different components

用清晰的权限边界隔离敏感操作
在整个系统中应用最小权限原则
酌情实现基于角色的访问控制（RBAC）
审计并记录对敏感资源的访问
为不同组件使用独立的服务账户

Resilience and Protection

弹性与防护

Implement retries, exponential backoff, and timeouts on all external calls
Deploy circuit breakers and rate limiting for service protection
Consider distributed rate-limiting to prevent abuse across services (e.g., using Redis)
Implement request throttling to prevent denial of service
Use connection pooling with appropriate limits

对所有外部调用实现重试、指数退避和超时机制
部署断路器和速率限制以保护服务
考虑使用分布式速率限制（如借助Redis）防止跨服务滥用
实施请求限流以防止拒绝服务攻击
使用带有适当限制的连接池

Secure Configuration

安全配置

Use HTTPS/TLS for all network communications
Configure secure HTTP headers (HSTS, CSP, X-Frame-Options)
Disable verbose error messages in production
Keep dependencies updated and scan for vulnerabilities
Use secure defaults and fail securely

所有网络通信使用HTTPS/TLS
配置安全HTTP头（HSTS、CSP、X-Frame-Options）
在生产环境中禁用详细错误信息
保持依赖项更新并扫描漏洞
使用安全默认值并确保故障安全

Error Handling

错误处理

Implement comprehensive error handling throughout the application
Never expose stack traces or internal details to end users
Log security-relevant events with appropriate detail
Propagate context appropriately for debugging while maintaining security
Handle authentication and authorization failures gracefully

在整个应用程序中实现全面的错误处理
切勿向终端用户暴露堆栈跟踪或内部细节
记录具有适当细节的安全相关事件
在维护安全性的同时，适当传播上下文以方便调试
优雅处理身份认证和授权失败情况

Secrets Management

密钥管理

Use environment variables or dedicated secrets managers
Rotate credentials and keys regularly
Implement proper key management practices
Avoid logging sensitive information
Use encryption at rest for sensitive data storage

使用环境变量或专用密钥管理器
定期轮换凭证和密钥
实施适当的密钥管理实践
避免记录敏感信息
对敏感数据存储使用静态加密

SQL Injection Prevention

SQL注入防护

Use parameterized queries or prepared statements
Never concatenate user input into SQL queries
Use ORM features that automatically escape values
Validate and sanitize all database inputs
Limit database user permissions

使用参数化查询或预编译语句
切勿将用户输入拼接进SQL查询
使用自动转义值的ORM功能
验证并清理所有数据库输入
限制数据库用户权限

Cross-Site Scripting (XSS) Prevention

跨站脚本（XSS）防护

Escape all output rendered in HTML
Use Content Security Policy headers
Sanitize user-generated content before display
Use framework-provided escaping functions
Avoid innerHTML and similar dangerous APIs

转义所有在HTML中渲染的输出
使用内容安全策略（CSP）头
在显示前清理用户生成的内容
使用框架提供的转义函数
避免使用innerHTML等危险API

Cross-Site Request Forgery (CSRF) Prevention

跨站请求伪造（CSRF）防护

Implement CSRF tokens for state-changing operations
Verify origin and referer headers
Use SameSite cookie attribute
Require re-authentication for sensitive actions
Implement proper session management

为状态变更操作实现CSRF令牌
验证来源和引用头
使用SameSite Cookie属性
敏感操作要求重新认证
实现完善的会话管理

API Security

API安全

Implement API authentication (JWT, API keys, OAuth)
Use rate limiting to prevent abuse
Validate request content types
Implement request size limits
Log API access for auditing

实现API身份认证（JWT、API密钥、OAuth）
使用速率限制防止滥用
验证请求内容类型
实施请求大小限制
记录API访问以供审计

Dependency Security

依赖项安全

Regularly audit dependencies for vulnerabilities
Use lockfiles to ensure consistent versions
Remove unused dependencies
Monitor security advisories for your stack
Implement automated vulnerability scanning in CI/CD

定期审计依赖项的漏洞
使用锁定文件确保版本一致性
移除未使用的依赖项
监控技术栈的安全公告
在CI/CD中实现自动化漏洞扫描