api-security-hardening
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAPI Security Hardening
API安全加固
Protect REST APIs against common vulnerabilities with multiple security layers.
通过多层安全防护保护REST API免受常见漏洞威胁。
Security Middleware Stack (Express)
Express安全中间件栈
javascript
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
app.use(helmet());
app.use(mongoSanitize());
app.use(xss());
app.use('/api/', rateLimit({
windowMs: 15 * 60 * 1000,
max: 100
}));
app.use('/api/auth/', rateLimit({
windowMs: 15 * 60 * 1000,
max: 5
}));javascript
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
app.use(helmet());
app.use(mongoSanitize());
app.use(xss());
app.use('/api/', rateLimit({
windowMs: 15 * 60 * 1000,
max: 100
}));
app.use('/api/auth/', rateLimit({
windowMs: 15 * 60 * 1000,
max: 5
}));Input Validation
输入验证
javascript
const { body, validationResult } = require('express-validator');
app.post('/users',
body('email').isEmail().normalizeEmail(),
body('password').isLength({ min: 8 }).matches(/[A-Z]/).matches(/[0-9]/),
body('name').trim().escape().isLength({ max: 100 }),
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Process request
}
);javascript
const { body, validationResult } = require('express-validator');
app.post('/users',
body('email').isEmail().normalizeEmail(),
body('password').isLength({ min: 8 }).matches(/[A-Z]/).matches(/[0-9]/),
body('name').trim().escape().isLength({ max: 100 }),
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Process request
}
);Security Headers
安全标头
javascript
app.use((req, res, next) => {
res.setHeader('Content-Security-Policy', "default-src 'self'");
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-XSS-Protection', '1; mode=block');
next();
});javascript
app.use((req, res, next) => {
res.setHeader('Content-Security-Policy', "default-src 'self'");
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-XSS-Protection', '1; mode=block');
next();
});Security Checklist
安全检查清单
- HTTPS everywhere
- Authentication on all protected routes
- Input validation and sanitization
- Rate limiting enabled
- Security headers configured
- CORS restricted to allowed origins
- No stack traces in production errors
- Audit logging enabled
- Dependencies regularly updated
- 全程使用HTTPS
- 所有受保护路由启用认证
- 输入验证与清理
- 启用速率限制
- 配置安全标头
- 限制CORS仅允许指定源
- 生产环境错误不返回堆栈跟踪
- 启用审计日志
- 定期更新依赖
Additional Implementations
其他实现方案
See references/python-nginx.md for:
- Python FastAPI security middleware
- Pydantic input validation with password rules
- Nginx SSL/TLS and security headers configuration
- HTTP Parameter Pollution prevention
查看 references/python-nginx.md 获取以下内容:
- Python FastAPI安全中间件
- 带密码规则的Pydantic输入验证
- Nginx SSL/TLS与安全标头配置
- HTTP参数污染防护
Never Do
切勿执行
- Trust user input without validation
- Return detailed errors in production
- Store secrets in code
- Use GET for state-changing operations
- Disable security for convenience
- 未经验证即信任用户输入
- 生产环境返回详细错误信息
- 在代码中存储密钥
- 使用GET请求执行状态变更操作
- 为图方便禁用安全措施