Back to Details

feature-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Analyst Implementation

安全分析师实施指南

Analyze and verify security aspects of new feature implementations.
分析并验证新功能实现中的安全相关事项。

Implementation Checklist

实施检查清单

Authentication & Authorization

身份验证与授权

  • Verify authentication is required on all protected endpoints
  • Check role-based access control enforcement
  • Ensure token validation and expiration handling
  • Validate session management and logout behavior
  • Check for privilege escalation vulnerabilities
  • 验证所有受保护端点均要求身份验证
  • 检查基于角色的访问控制是否有效执行
  • 确保token验证与过期处理机制正常
  • 验证会话管理与登出行为的安全性
  • 检查是否存在权限提升漏洞

Input Validation

输入验证

  • Verify all user inputs are validated and sanitized
  • Check for SQL injection prevention (parameterized queries)
  • Ensure XSS prevention in rendered user content
  • Validate file upload restrictions (type, size, content)
  • Check for command injection in system calls
  • 验证所有用户输入均经过校验与清理
  • 检查是否防范SQL injection(使用参数化查询)
  • 确保渲染用户内容时防范XSS攻击
  • 验证文件上传限制(类型、大小、内容)是否生效
  • 检查系统调用中是否存在command injection风险

Data Protection

数据保护

  • Verify sensitive data is encrypted at rest and in transit
  • Check that PII is properly masked in logs and responses
  • Ensure secrets are not hardcoded or committed to source
  • Validate proper use of hashing for passwords and tokens
  • Check data retention and deletion compliance
  • 验证敏感数据在静态存储与传输过程中均已加密
  • 检查PII在日志与响应中是否已正确脱敏
  • 确保密钥未硬编码或提交至代码仓库
  • 验证密码与token是否使用了正确的哈希算法
  • 检查数据保留与删除是否符合合规要求

Security Configuration

安全配置

  • Verify CORS policy is properly configured
  • Check security headers (CSP, HSTS, X-Frame-Options)
  • Ensure dependency versions have no known vulnerabilities
  • Validate error responses do not leak internal details
  • Check rate limiting on authentication endpoints
  • 验证CORS策略配置正确
  • 检查安全头(CSP、HSTS、X-Frame-Options)是否配置
  • 确保依赖版本无已知漏洞
  • 验证错误响应未泄露内部细节
  • 检查身份验证端点是否配置了速率限制

Output Format

输出格式

Report implementation status:
StatusDescription
CompleteFully implemented and verified
PartialImplementation started, needs remaining work
BlockedCannot proceed due to dependency or decision needed
SkippedNot applicable to this feature
报告实施状态:
状态描述
已完成已完全实现并通过验证
部分完成已启动实施,仍需完成剩余工作
受阻因依赖项缺失或需决策导致无法推进
已跳过不适用于此功能