An overview of the

Now the front trend is a single page application SPA before and after the end of the rich client, use the vue framework, such as JSP, asp problems such as the most vulnerable to XSS base with the help of the framework is rarely appeared, but when we develop should also be familiar with a lot of security problems, I can think of me to share with you, welcome to clap brick.

Management address

When we do OA and other system management applications:

1. The background management IP address is a second-level domain name (for example, manage.xxx.com or admin.xxx.com), 2. There are suffixed routing addresses (such as xxx.com/admin or xxx.com/manage),Copy the code

This kind of common keywords appear in the background management address, it is easy to be scanned by some secondary domain name or royal sword can scan the directory of the software to expose the background, in addition, too sensitive background address, will also be in Google grammar by the search engine climb, such as (inURL :admin), In this way, it is easy to be captured by some automatic crawling background software of the whole network for the next operation. If it is not necessary, it is recommended that the background address is relatively independent and does not contain common keywords.

Front-end CDN or OBS

In order to reduce the bandwidth pressure of the server and hide the real address of the server, it is common to put the front-end on OBS or join the CDN. It should be noted that although we add the CDN and put our application domain name Cname into a three-party domain name, many foreign DNS servers can check it. In addition, if the address before switching to the CDN remains unchanged, the attacker can still see the real address of the server from the resolution history.

Logic overreach vulnerability

When we enter sensitive content into the system, the front end should cooperate with the back end to do the necessary logical filtering: for example

1. Accuracy of transaction amount, no negative number or other input restrictions according to business scenarios; 2. Do not use the permission management logic in the front end. For example, the permission of control menu is front-end control. 3. Sensitive project configuration is put in the front end (I have seen the front end write the server password in the release script for the convenience of release); 4. Strictly control the intrusion of each role page; 5. Try to deal with back-end front-end errors by yourself and do not expose them directly; 6. Try to use JSON data type for interactive transmission;Copy the code

Weak password

Is not no absolute security system, but there is no absolute safety, many developers in the development stage to set the password of save trouble is very weak, even project launch, development with weak passwords are not deleted, directly equate to open the door to strangers, advice in the front and back end development using filtering mechanism is a key development period of permissions isolation, weak password to delete.

Remove keywords and fingerprints from all parts of the project

Many developers are developed on the shoulders of giants, two open some molding project framework, etc., in many parts of the project framework has some of their tags and fingerprints, many fingerprint recognition software can identify web application development framework, etc., the development framework of the old holes once you don’t have a handle, very easy to use.

Frame scaffolding

At present, when vUE and other frameworks are compiled, js code will be confused and compressed, which increases the security of the system to a certain extent. Even though many business processes are in the front end, it also increases the difficulty of attack.

I have seen many ways to prevent debugger in the market is to loop a Debugger indefinitely at the beginning of the project, so that many debuggers are always in the debugger phase during F12 debug mode.Copy the code

Use encryption protocol

For HTTP plaintext data transmission, the most common attack method of attackers is network sniffing, trying to analyze sensitive data in the transmission process. Ali and other cloud service manufacturers have free certificates with a period of time of one year, and HTTPS is not very complicated. In addition, it is recommended that the user name, password or sensitive data of many business scenarios be encrypted at the front end during transmission, which can make the attack difficult to some extent and prevent the use of man-in-the-middle attacks.

Upload control

Many attacks of subsequent operations are implemented using the upload link, upload all the server information extraction rights, upload files to the server equals to the server to open a door, must strictly control the upload limit, the filename suffix, format restrictions have almost no effect, Suggestions and is now the three parties cloud storage are mostly, will be stored and business division, The storage device is stored on a third-party cloud storage device or self-built storage device. Services and storage devices are isolated, and services store only required storage addresses.

Cross-site request forgery (CSRF attack)

1. User C opens A browser, accesses trusted website A, and enters the user name and password to request to log in to website A. 2. After the user information is authenticated, website A generates Cookie information and returns it to the browser. At this time, the user successfully logs in to website A and sends requests to website A. 3. Before exiting website A, open A TAB page in the same browser to access website B. 4. After receiving user requests, website B returns some offensive codes and sends A request to visit third-party site A; 5. After receiving these offensive codes, according to the request of Website B, the browser sends A request to Website A with Cookie information without the user's knowledge. Website A does not know that the request is actually initiated by B, so it will process the request with C's permission according to the Cookie information of user C, resulting in the malicious code from Website B being executed.Copy the code

Now springboot and other frameworks in the background are using token in the header, feeling that the opportunity to use is also less and less.

Cross-site scripting attacks (XSS attacks)

This kind of attack is mainly to obtain cookies and directly log in the background with cookies, commonly known as cookie beating. With the separation of front and back ends and the popularity of front-end VUE and other frameworks, the opportunities to use this kind of scene are becoming less and less.

HttpOnly Cookie: true. The most effective defense against XSS attacks stealing user cookies.Copy the code

SQL injection

The attention of the front end is that when filling in forms and other inputs to the system, the necessary input checks can reduce some risks for the back end. If the back end has been filtered very strictly, the front end filtering is not necessarily necessary based on the project situation.

Welcome to learn and share FLUTTER with me. The project will continue to update new learning demo

Github address of this project: project address

Here is our public account: Flutter Programming Notes (CODE9871)Copy the code

The official accounts share their learning ideas from time to time

Past review:

The flutter achieves top adsorption effect

The Flutter implements a digital scale

Flutter implements simple rotation animations

The Flutter achieves a simple drawer effect