Web Security

web Security
Preface
The following is a summary of the common security common sense of the front end , It's also a must ask question in an interview . There is no big technical content , But you need to know . We are in our own application development , We also need to avoid such low-level problems .
sql Inject
describe
That is, the back end relies on the parameters returned by the front end to splice directly sql Query data , Lead to sql Abnormal splicing , Security problems caused by .
Solution
Verify the information transmitted by the front end layer by layer , Don't use .
remarks ： From here to , In fact, any front-end data transmission may be risky 、 Not rigorous , Therefore, any interface at the back end must carry out illegal verification for the passed parameters , Business verification , Then you can actually use .
XSS（Cross Site Scripting, Cross-site scripting attacks ）
describe
Simply put, it is to inject into your code in some way js Code , The most common is through the submission of forms . Then because these codes have the same permissions as your code , So you can access your data information , You can also report some data . therefore , The harm is great .
Solution
Replace some of the input ：
& Replace with ：&
< Replace with ：<

Replace with ：>
” Replace with ："
‘ Replace with ：’
/ Replace with ：/
In addition, targeted right cookie Strengthen control , Set up http-only, such js You can't get it cookie The content of .
however , For rich text content , Simple text substitution does not solve the problem , Can pass csp How to solve , That is to establish a white list .
Set up HTTP Header Medium Content-Security-Policy
Set up meta How to label
If it is http,header Words , The setting can be like this :Content-Security-Policy: default-src ‘self’, In this way, only the resources of this website are allowed .
CSRF（Cross-site request forgery, Cross-site request forgery ）
describe
CSRF It is to use the authority of the current operator to complete an operation secretly , Instead of getting the user's information .
Its principle is ：cookie The same origin strategy , Just log in , The request of the same domain name does not need to be verified by the user .
Solution
For the operations that need to be verified , Set up additional validation , For example, verification code 、 password 、 Fingerprints, etc ;
get Request changed to post request , More secure ; Give Way get Request more only for read operations ;
verification document.referer, Determine the source of the previous page of the web page , Wechat payment has this verification mechanism ;
token Timeliness mechanism , When performing an operation , Send a timely token, When performing a subsequent operation , verification token Are they the same? ;
Verify the network ip, Because if the request is initiated by a non local device , that ip It will also be compared with the original ip Is different , adopt ip The comparison of can also remove unsafe factors .
Web nesting attack
describe
adopt iframe Nested web pages , Then design nested transparency , Click through the interface , Trigger your own event .
Solution
The first one is ： header Setting does not allow nesting
X-FRAME-OPTIONS It's a HTTP Response head , In modern browsers have a very good support . This HTTP Response head Defense is to use iframe Nested clickjacking attacks .
The three values ​​in response to the first alternative , Namely
DENY, It indicates that the page is not permitted iframe Fashion show
SAMEORIGIN, Indicate that the page can be under the same domain name iframe Fashion show
ALLOW-FROM, Indicate that the page can specify the source of iframe Show in
The second kind ： We can do it by simple js This problem can be solved by judging whether the current interface is a top-level window .

if(top.location!=self.location){

top.location.href = window.location.href;

}else{

alert(“ It's the top window ”);

}
Man-in-the-middle attack
describe
That is, the request is blocked , Then it may be rewritten , Or be extracted important information , Continue to request
Solution
Simple and effective ： upgrade https programme