security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security

安全

Security Checklist

安全检查清单

Security Basics:
- [ ] Authentication required for protected routes
- [ ] Passwords hashed (bcrypt/argon2), never stored plain text
- [ ] API keys in environment variables, not code
- [ ] HTTPS only in production
- [ ] Input validated on server side
- [ ] SQL injection prevented (use parameterized queries)
- [ ] XSS prevented (sanitize user input)
- [ ] CSRF tokens on forms
- [ ] Rate limiting on API endpoints
- [ ] User sessions expire (30min-1hr typical)

See COMMON-VULNS.md for detailed checks.

Security Basics:
- [ ] 受保护路由需身份验证
- [ ] 密码已哈希处理（bcrypt/argon2），绝不明文存储
- [ ] API密钥存储在环境变量中，而非代码里
- [ ] 生产环境仅使用HTTPS
- [ ] 服务器端验证输入
- [ ] 防止SQL注入（使用参数化查询）
- [ ] 防止XSS攻击（清理用户输入）
- [ ] 表单添加CSRF令牌
- [ ] API端点设置速率限制
- [ ] 用户会话自动过期（通常30分钟-1小时）

查看COMMON-VULNS.md获取详细检查项。

Critical: Never Store These in Code

关键注意事项：绝不要在代码中存储这些内容

Move to environment variables:

Database passwords
API keys (Stripe, SendGrid, etc)
JWT secrets
OAuth client secrets
Encryption keys

Tell AI:

Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEY

转移到环境变量中：

数据库密码
API密钥（Stripe、SendGrid等）
JWT密钥
OAuth客户端密钥
加密密钥

告知AI：

Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEY

Authentication Basics

身份验证基础

Minimum requirements:

Passwords: 8+ chars, require number/symbol
Hash passwords (bcrypt with 10+ rounds)
Email verification for signups
Password reset via email only
Sessions expire (30-60 min idle)
Logout clears session completely

Tell AI:

Add authentication:
- bcrypt for password hashing (12 rounds)
- Email verification required
- Session timeout: 30 minutes
- Password requirements: 8+ chars, 1 number, 1 symbol

See SECURITY-PROMPTS.md for implementation details.

最低要求：

密码：8位以上，需包含数字/符号
密码哈希处理（bcrypt使用10+轮次）
注册需邮箱验证
仅通过邮箱重置密码
会话超时（闲置30-60分钟）
登出完全清除会话

告知AI：

Add authentication:
- bcrypt for password hashing (12 rounds)
- Email verification required
- Session timeout: 30 minutes
- Password requirements: 8+ chars, 1 number, 1 symbol

查看SECURITY-PROMPTS.md获取实现细节。

Data Protection

数据保护

Always encrypt:

Passwords (hashed, not encrypted)
Payment info (use Stripe, don't store cards)
Personal identifiable information (PII)

Never log:

Passwords (even hashed)
Credit card numbers
API keys
Session tokens

Tell AI:

Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.

始终加密：

密码（哈希处理，而非加密）
支付信息（使用Stripe，勿存储卡片信息）
个人可识别信息（PII）

绝不记录：

密码（即使是哈希后的）
信用卡号
API密钥
会话令牌

告知AI：

Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.

API Security

API安全

Required for all API endpoints:

Authentication check
Rate limiting (prevent abuse)
Input validation
Error messages don't leak info

Tell AI:

Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)

所有API端点的要求：

身份验证检查
速率限制（防止滥用）
输入验证
错误信息不泄露敏感内容

告知AI：

Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)

Common Vulnerabilities

常见漏洞

Most common in AI-built apps:

Exposed API keys - In code instead of .env
No rate limiting - APIs can be spammed
Missing auth checks - Routes accessible without login
SQL injection - Raw SQL with user input
XSS attacks - Unescaped user content displayed

See COMMON-VULNS.md for how to check.

AI构建应用中最常见的漏洞：

API密钥暴露 - 存储在代码中而非.env
无速率限制 - API可能被垃圾请求攻击
缺失身份验证检查 - 无需登录即可访问路由
SQL注入 - 使用用户输入拼接原始SQL
XSS攻击 - 未转义的用户内容被展示

查看COMMON-VULNS.md了解检查方法。

Security Prompts for AI

用于AI的安全提示词

Adding authentication:

Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.

Rate limiting:

Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixed

Input validation:

Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error message

See SECURITY-PROMPTS.md for more.

添加身份验证：

Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.

速率限制：

Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixed

输入验证：

Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error message

查看SECURITY-PROMPTS.md获取更多内容。

Pre-Launch Security Review

上线前安全审查

Before deploying:

Production Security:
- [ ] All secrets in environment variables
- [ ] HTTPS enforced (no HTTP)
- [ ] Database backups configured
- [ ] Rate limiting on all APIs
- [ ] Error pages don't show stack traces
- [ ] Admin routes protected
- [ ] File uploads validated (type, size)
- [ ] CORS configured (not wildcard "*")

部署前检查：

Production Security:
- [ ] 所有密钥存储在环境变量中
- [ ] 强制使用HTTPS（禁止HTTP）
- [ ] 配置数据库备份
- [ ] 所有API设置速率限制
- [ ] 错误页面不显示堆栈跟踪
- [ ] 管理员路由受保护
- [ ] 文件上传已验证（类型、大小）
- [ ] CORS已配置（非通配符"*"）

When to Get Security Audit

何时需要安全审计

Signs you need expert review:

Handling payments directly (not Stripe)
Storing health/financial data
Multi-tenant with data isolation
Over 1,000 users
Processing sensitive PII

For most MVPs: Following this checklist is sufficient.

需要专家审查的迹象：

直接处理支付（而非使用Stripe）
存储健康/财务数据
多租户架构且需数据隔离
用户量超过1000
处理敏感个人可识别信息

**对于大多数MVP：**遵循本检查清单已足够。

Common Founder Mistakes

创始人常见错误

Mistake	Fix
API keys in code	Move to .env
No rate limiting	Add to all endpoints
Plain text passwords	Use bcrypt
HTTP in production	Force HTTPS
Accepting all CORS	Whitelist domains
No input validation	Validate server-side
Detailed error messages	Generic messages only

错误	修复方案
API密钥在代码中	转移到.env
无速率限制	为所有端点添加
明文密码	使用bcrypt
生产环境使用HTTP	强制HTTPS
接受所有CORS请求	白名单域名
无输入验证	服务器端验证
详细错误信息	仅使用通用信息

Quick Wins

快速优化项

Easy security improvements:

Add Helmet.js (Node) - Sets security headers
Use HTTPS everywhere - Force in production
Add rate limiting - Prevents abuse
Environment variables - Keep secrets safe
Update dependencies - Fix known vulnerabilities

Tell AI:

Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).

简单的安全改进：

添加Helmet.js（Node）- 设置安全头
全链路使用HTTPS - 生产环境强制启用
添加速率限制 - 防止滥用
环境变量 - 安全存储密钥
更新依赖 - 修复已知漏洞

告知AI：

Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).

Testing Security

安全测试

Quick checks:

Exposed secrets:

bash

grep -r "api_key" src/
grep -r "password" src/

快速检查：

密钥暴露检查：

bash

grep -r "api_key" src/
grep -r "password" src/

Should only find references to env vars

应仅找到环境变量的引用


**No auth bypass:**
- Try accessing protected routes without login
- Should redirect to login or return 401

**Rate limiting works:**
- Hit API endpoint 100 times quickly
- Should get 429 error

---


**身份验证绕过检查：**
- 尝试无需登录访问受保护路由
- 应重定向到登录页或返回401

**速率限制有效性检查：**
- 快速调用API端点100次
- 应收到429错误

---

Success Looks Like

成功标准

✅ No secrets in code (all in .env)
✅ Can't access protected routes without auth
✅ Passwords hashed, never stored plain text
✅ Rate limiting prevents abuse
✅ HTTPS enforced in production
✅ Input validated on server side

✅ 代码中无密钥（全部存储在.env）
✅ 未登录无法访问受保护路由
✅ 密码已哈希处理，绝不明文存储
✅ 速率限制可防止滥用
✅ 生产环境强制HTTPS
✅ 服务器端验证输入