{"id":13398837,"url":"https://github.com/FallibleInc/security-guide-for-developers","last_synced_at":"2025-03-14T03:30:31.944Z","repository":{"id":40604842,"uuid":"60710553","full_name":"FallibleInc/security-guide-for-developers","owner":"FallibleInc","description":"Security Guide for Developers (实用性开发人员安全须知)","archived":false,"fork":false,"pushed_at":"2022-05-28T13:38:03.000Z","size":5838,"stargazers_count":20894,"open_issues_count":19,"forks_count":1597,"subscribers_count":1094,"default_branch":"master","last_synced_at":"2024-07-29T20:03:29.026Z","etag":null,"topics":["api","books","security","security-book","security-checklist"],"latest_commit_sha":null,"homepage":"https://git.io/security","language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FallibleInc.png","metadata":{"files":{"readme":"README-zh.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-checklist-zh.md","support":null}},"created_at":"2016-06-08T15:56:25.000Z","updated_at":"2024-07-27T12:31:56.000Z","dependencies_parsed_at":"2022-07-14T03:50:35.315Z","dependency_job_id":null,"html_url":"https://github.com/FallibleInc/security-guide-for-developers","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FallibleInc%2Fsecurity-guide-for-developers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FallibleInc%2Fsecurity-guide-for-developers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FallibleInc%2Fsecurity-guide-for-developers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FallibleInc%2Fsecurity-guide-for-developers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FallibleInc","download_url":"https://codeload.github.com/FallibleInc/security-guide-for-developers/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":213240347,"owners_count":15557463,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","books","security","security-book","security-checklist"],"created_at":"2024-07-30T19:00:32.097Z","updated_at":"2024-07-30T19:03:06.461Z","avatar_url":"https://github.com/FallibleInc.png","language":null,"readme":"# 实用性 WEB 开发人员安全须知  \n\n### 目标读者  \n\n安全问题主要由以下两类原因导致：   \n\n1. 那些刚入门的无法区分 MD5 和 bcrypt 作用的开发者  \n2. 那些知道这件事但忘记/忽略了的开发者  \n\n我们的详细说明应该可以帮到第 1 类开发者，而我们希望我们的 checklist 可以帮到第 2 类的开发者构建更多的安全系统。这并不是一个综合性的全面指南，只是覆盖了大多数我们在过去发现的常见问题。  \n\n\n\n### 目录  \n\n1. [安全Checklist](security-checklist-zh.md)  \n2. 什么东西会出问题?  \n3. 安全地传输数据: HTTPS 详解  \n4. 权限验证: 我是谁？  \n4.1 基于表单的权限验证  \n4.2 基础鉴权   \n4.3 一次是不够的、二次、三次（验证）....   \n4.4 为什么使用不安全的文本消息? HOTP \u0026 TOTP 介绍   \n4.5 处理密码重置  \n5. 权限验证: 我能做什么？  \n5.1 基于 Token 的权限验证    \n5.2 OAuth 和 OAuth2  \n5.3 JWT（JSON Web Token）  \n6. 数据校验和过滤: 绝不信任用户输入  \n6.1 校验和过滤用户输入  \n6.2 过滤输出  \n6.3 跨站脚本攻击（XSS）    \n6.4 注入攻击    \n6.5 用户上传   \n6.6 用户篡改输入  \n7. 纯文本 != 编码 != 加密 != 哈希    \n7.1 通用编码模式    \n7.2 加密    \n7.3 哈希和单向函数（功能）    \n7.4 哈希速度对照表  \n8. 密码: dadada、123456、cute@123  \n8.1 密码策略  \n8.2 密码存储  \n8.3 没有密码的生活  \n9. 公钥加密\n10. 会话: 请记住我   \n10.1 哪里存储状态？   \n10.2 使会话失效    \n10.3 Cookie 怪物和你  \n11. 加固安全, 一次只有一个头信息    \n11.1 安全的 web header    \n11.2 第三方代码的数据集成检测    \n11.3 证书绑定  \n12. 配置错误      \n12.1 云上准备: 端口、Shodan、AWS  \n12.2 亲，你开了 debug 模式    \n12.3 日志（或者没有日志）  \n12.4 监控  \n12.5 最低优先级原理    \n12.6 （请求）频率限制 和 Captchas  \n12.7 把项目的密钥和密码保存在文件上      \n12.8 DNS: 关于子域名和被遗忘的宠物计划    \n12.9 打补丁和更新    \n13. 攻击: 当坏人来临    \n13.1 点击劫持    \n13.2 跨站请求伪造    \n13.3 拒绝服务    \n13.4 服务端请求伪造  \n14. [互联网公司漏洞统计](vulnerabilities-stats-zh.md)   \n15. 重造轮子，但做出来是方的    \n15.1 Python 的安全库和包    \n15.2 NodeJS 的安全库和包  \n15.3 学习资料  \n16. 掌握良好的安全习惯  \n17. 安全性 vs 可用性  \n18. 回到第 1 条: 安全 Checklist 解释  \n\n\n\n\n### 我们是谁?\n\n我们是全栈开发工程师，讨厌看到那些所谓为了做某件事情而 hack，但写了一堆不安全代码的开发者。在过去六个月，我们保护了超过 1500w 信用卡信息不被泄露，超过 4500w 的用户个人信息不被盗取，潜在的拯救了大量公司的倒闭。最近，我们发现的一个安全问题，可以导致一家比特币交易公司因数据泄露而倒闭。我们帮助了若干创业公司让他们的系统更安全，大多数都是免费的，有时候甚至连『谢谢』都没收到 :)\n\n*如果你不同意我们的观点或者找到 bug，请开启一个 issue 或者提交一个 PR 给我们。另外，你也可以通过 hello@fallible.co 与我们交流。*\n","funding_links":[],"categories":["React","Others","Security Guides","Developer","HTTP 安全","前端开发框架及项目","Guidelines","miscellaneous","Others (1002)","Dev"],"sub_categories":["响应体","其他_文本生成、文本对话","Security"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFallibleInc%2Fsecurity-guide-for-developers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFallibleInc%2Fsecurity-guide-for-developers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFallibleInc%2Fsecurity-guide-for-developers/lists"}