application-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity
安全
Security is built-in, not bolted-on. Every feature, endpoint, and data flow must consider security implications.
安全是内置的,而非事后附加的。每个功能、端点和数据流都必须考虑安全影响。
OWASP Top 10 (2025)
OWASP Top 10(2025版)
| # | Vulnerability | Prevention |
|---|---|---|
| 1 | Broken Access Control | Verify permissions server-side, default deny |
| 2 | Security Misconfiguration | Secure defaults, remove unused features |
| 3 | Software Supply Chain Failures | SBOM, dependency scanning, signed builds |
| 4 | Cryptographic Failures | Use TLS, hash passwords (argon2id), encrypt PII |
| 5 | Injection | Parameterized queries, input validation |
| 6 | Insecure Design | Threat modeling, security requirements |
| 7 | Authentication Failures | Strong passwords, MFA, secure session mgmt |
| 8 | Software or Data Integrity | Verify dependencies, sign releases |
| 9 | Logging and Alerting Failures | Log security events, set up alerts |
| 10 | Mishandling Exceptional Conditions | Fail securely, generic errors to clients |
| 序号 | 漏洞类型 | 防范措施 |
|---|---|---|
| 1 | 访问控制失效 | 服务端验证权限,默认拒绝 |
| 2 | 安全配置错误 | 采用安全默认配置,移除未使用功能 |
| 3 | 软件供应链故障 | 生成SBOM、依赖扫描、签名构建 |
| 4 | 加密失效 | 使用TLS,采用argon2id哈希密码,加密PII数据 |
| 5 | 注入攻击 | 参数化查询,输入验证 |
| 6 | 不安全设计 | 威胁建模,明确安全需求 |
| 7 | 认证失效 | 强密码、多因素认证(MFA)、安全会话管理 |
| 8 | 软件或数据完整性问题 | 验证依赖项,签名发布版本 |
| 9 | 日志与告警失效 | 记录安全事件,设置告警机制 |
| 10 | 异常条件处理不当 | 安全失败,向客户端返回通用错误信息 |
Security Principles
安全原则
| Principle | Rule |
|---|---|
| Defense in Depth | Multiple layers: firewall, auth, authz, encryption, audit |
| Least Privilege | Minimum permissions needed, nothing more |
| Zero Trust | Never trust, always verify. Assume breach. |
| Secure by Default | HTTPS, strict passwords, secure cookies out of the box |
| Fail Securely | Access denied on error, no internal details to users |
| Validate on Server | Client validation is UX, server validation is security |
| 原则 | 规则 |
|---|---|
| 纵深防御 | 多层防护:防火墙、认证、授权、加密、审计 |
| 最小权限 | 仅授予完成工作所需的最低权限,无额外权限 |
| 零信任 | 永不信任,始终验证。假设已发生入侵。 |
| 默认安全 | 开箱即支持HTTPS、严格密码规则、安全Cookie |
| 安全失败 | 出错时拒绝访问,不向用户泄露内部细节 |
| 服务端验证 | 客户端验证仅为提升UX,服务端验证才是安全保障 |
Pre-Deployment Checklist
部署前检查清单
| Area | Requirements |
|---|---|
| Passwords | Hashed with argon2id (preferred) or bcrypt (12+ rounds) |
| Tokens | JWT with EdDSA/ES256, 15min access / 7d refresh, httpOnly cookies |
| Sessions | HttpOnly, Secure, SameSite=Strict cookies |
| Rate Limiting | Auth endpoints: 5 attempts/15min |
| Authorization | All routes check auth server-side, default deny |
| Input | Validated with schema (Zod), parameterized SQL |
| Uploads | Whitelist types, enforce size limits |
| Secrets | No secrets in code or VCS |
| Headers | CSP (with nonces), HSTS, Permissions-Policy, X-Content-Type-Options |
| CORS | Configured restrictively |
| Encryption | PII encrypted at rest (AES-256) and in transit (TLS 1.3) |
| Logging | Audit logging for security events |
| Dependencies | SBOM generated, |
| 领域 | 要求 |
|---|---|
| 密码 | 使用argon2id(首选)或bcrypt(12+轮次)进行哈希 |
| 令牌 | 采用EdDSA/ES256算法的JWT,15分钟访问令牌/7天刷新令牌,存储于HttpOnly Cookie |
| 会话 | HttpOnly、Secure、SameSite=Strict类型的Cookie |
| 速率限制 | 认证端点:15分钟内最多5次尝试 |
| 授权 | 所有路由在服务端检查权限,默认拒绝 |
| 输入 | 使用Zod进行 schema 验证,采用参数化SQL |
| 文件上传 | 白名单允许的文件类型,强制限制文件大小 |
| 密钥 | 代码或版本控制系统中不得包含密钥 |
| 安全头 | CSP(带随机数)、HSTS、Permissions-Policy、X-Content-Type-Options |
| CORS | 严格配置跨域规则 |
| 加密 | PII数据静态存储时用AES-256加密,传输时用TLS 1.3加密 |
| 日志 | 记录安全事件的审计日志 |
| 依赖项 | 生成SBOM, |
Threat Modeling (STRIDE)
威胁建模(STRIDE)
| Threat | Category | Key Mitigations |
|---|---|---|
| Spoofing | Authentication | MFA, strong passwords, JWT with short expiry |
| Tampering | Integrity | Input validation, HTTPS/TLS, signed tokens |
| Repudiation | Accountability | Audit logging, digital signatures |
| Info Disclosure | Confidentiality | Encryption, least privilege, secret management |
| Denial of Service | Availability | Rate limiting, input validation, CDN/DDoS protection |
| Elevation of Privilege | Authorization | Authz checks on every request, ABAC, permission audits |
| 威胁类型 | 分类 | 关键缓解措施 |
|---|---|---|
| 仿冒 | 认证 | 多因素认证(MFA)、强密码、短有效期JWT |
| 篡改 | 完整性 | 输入验证、HTTPS/TLS、签名令牌 |
| 抵赖 | 可追溯性 | 审计日志、数字签名 |
| 信息泄露 | 保密性 | 加密、最小权限、密钥管理 |
| 拒绝服务 | 可用性 | 速率限制、输入验证、CDN/DDoS防护 |
| 权限提升 | 授权 | 每个请求都检查授权、ABAC、权限审计 |
Risk Levels
风险等级
| Level | Action |
|---|---|
| Critical | Immediate action required |
| High | Address before launch |
| Medium | Address post-launch |
| Low | Monitor, may accept risk |
| 等级 | 应对措施 |
|---|---|
| 严重 | 立即采取行动 |
| 高 | 上线前解决 |
| 中 | 上线后优先处理 |
| 低 | 监控,可接受风险 |
Compliance Overview
合规概览
| Framework | Scope | Key Requirements |
|---|---|---|
| GDPR | EU data subjects | Consent, data subject rights, breach notification (72h), DPIA |
| HIPAA | US healthcare data | PHI encryption, RBAC, audit logs, BAA with providers |
| SOC 2 | SaaS customer data | Security policies, MFA, encryption, incident response |
| PCI-DSS | Credit card data | Use payment processor (Stripe), tokenization, network segmentation |
| 框架 | 适用范围 | 核心要求 |
|---|---|---|
| GDPR | 欧盟数据主体 | 同意机制、数据主体权利、72小时内泄露通知、DPIA评估 |
| HIPAA | 美国医疗数据 | PHI数据加密、RBAC权限控制、审计日志、与供应商签订BAA协议 |
| SOC 2 | SaaS客户数据 | 安全政策、多因素认证、加密、事件响应机制 |
| PCI-DSS | 信用卡数据 | 使用支付处理器(如Stripe)、令牌化、网络隔离 |
Anti-Patterns
反模式
| Anti-Pattern | Fix |
|---|---|
| Security as afterthought | Integrate from design phase |
| Client-side authorization | Always verify permissions server-side |
| Trusting client data (e.g., userId from body) | Get user ID from authenticated session |
| Rolling your own crypto | Use proven libraries (argon2, bcrypt, libsodium) |
| Compliance = security | Compliance is the minimum; security is ongoing |
| Verbose error responses | Generic messages to clients, details server-side |
| 反模式 | 修复方案 |
|---|---|
| 安全作为事后考虑 | 从设计阶段就融入安全考量 |
| 客户端侧授权 | 始终在服务端验证权限 |
| 信任客户端数据(如请求体中的userId) | 从已认证的会话中获取用户ID |
| 自行实现加密算法 | 使用经过验证的库(argon2、bcrypt、libsodium) |
| 将合规等同于安全 | 合规是最低要求;安全是持续的过程 |
| 详细的错误响应 | 向客户端返回通用信息,详细信息仅保留在服务端 |
Common Mistakes
常见错误
| Mistake | Correct Pattern |
|---|---|
| Performing authorization checks only on the client side | Always verify permissions server-side; client checks are UX only |
| Trusting user-supplied IDs from request body (e.g., userId) | Derive user identity from the authenticated session or token |
| Rolling custom cryptography instead of using proven libraries | Use argon2id, bcrypt, or libsodium for all cryptographic operations |
| Treating compliance certification as equivalent to security | Compliance is the minimum bar; security requires ongoing review |
| Returning verbose error messages with stack traces to clients | Show generic messages to clients; log details server-side only |
| 错误 | 正确实践 |
|---|---|
| 仅在客户端进行授权检查 | 始终在服务端验证权限;客户端检查仅为提升UX体验 |
| 信任请求体中用户提供的ID(如userId) | 从已认证的会话或令牌中推导用户身份 |
| 自行实现加密而非使用成熟库 | 所有加密操作使用argon2id、bcrypt或libsodium |
| 将合规认证等同于安全 | 合规是最低门槛;安全需要持续审查 |
| 向客户端返回包含堆栈跟踪的详细错误信息 | 向客户端显示通用信息;仅在服务端记录详细信息 |
Delegation
任务分工
- Scan codebase for OWASP Top 10 vulnerabilities and insecure patterns: Use agent to search for SQL injection, XSS, and hardcoded secrets
Explore - Implement authentication, authorization, and security headers end-to-end: Use agent to configure JWT, RBAC, CSP, HSTS, and rate limiting
Task - Design a threat model and security architecture for new features: Use agent to apply STRIDE methodology and map trust boundaries
Plan
For database-layer security (RLS policies, Postgres/Supabase hardening, audit trails), use theskill. For AI/LLM security (prompt injection defense, agentic zero-trust, MCP tool hardening), use thedatabase-securityskill.secure-ai
- 扫描代码库中的OWASP Top 10漏洞和不安全模式:使用agent搜索SQL注入、XSS和硬编码密钥
Explore - 端到端实现认证、授权和安全头:使用agent配置JWT、RBAC、CSP、HSTS和速率限制
Task - 为新功能设计威胁模型和安全架构:使用agent应用STRIDE方法论并映射信任边界
Plan
如需数据库层安全(RLS策略、Postgres/Supabase加固、审计追踪),请使用技能。如需AI/LLM安全(提示注入防御、Agent零信任、MCP工具加固),请使用database-security技能。secure-ai
References
参考资料
- Threat Modeling — STRIDE methodology, risk assessment process, trust boundaries
- Authentication and Authorization — JWT, session-based, OAuth, RBAC, ABAC, IDOR protection
- API Security — OWASP API Security Top 10, object-level authorization, rate limiting, SSRF prevention, security testing
- Input Validation — SQL injection, XSS, command injection, path traversal, Zod validation, file upload security
- Data Protection — Password hashing (argon2id/bcrypt), AES-256-GCM encryption, secrets management
- Secure Configuration — Security headers, CORS, Express hardening, rate limiting
- Supply Chain Security — SBOM generation, dependency scanning, CI/CD hardening, artifact signing
- Monitoring and Compliance — Audit logging, error handling, GDPR/HIPAA/SOC2/PCI-DSS, troubleshooting
- 威胁建模 — STRIDE方法论、风险评估流程、信任边界
- 认证与授权 — JWT、基于会话的认证、OAuth、RBAC、ABAC、IDOR防护
- API安全 — OWASP API安全Top 10、对象级授权、速率限制、SSRF防护、安全测试
- 输入验证 — SQL注入、XSS、命令注入、路径遍历、Zod验证、文件上传安全
- 数据保护 — 密码哈希(argon2id/bcrypt)、AES-256-GCM加密、密钥管理
- 安全配置 — 安全头、CORS、Express加固、速率限制
- 供应链安全 — SBOM生成、依赖扫描、CI/CD加固、制品签名
- 监控与合规 — 审计日志、错误处理、GDPR/HIPAA/SOC2/PCI-DSS、故障排查