One, foreword

In daily development often we tend to ignore the security problem, or do not involve the issue of security, or help us to do the security handling at the framework level, understanding of security problems to ensure the safety of our application, and when the security problems, can according to the rational, simple chat next security issues.

Second, why do we need to do security defense

1. Theft of user identity information (obtaining cookies)

2. User passwords are leaked

3. User information is stolen

4, website database leakage

XSS attack

1. What is XSS attack? XSS attacks are called cross-site scripting (XSS) attacks, which are designed to attack websites and obtain special information by inserting nasty script codes or storing script codes into websites through website vulnerabilities

2. XSS attack path?

(1) Through the input field of malicious script code submitted to achieve the disgusting script is stored in the database

(2), using the mechanism of website url parsing, construct malicious website URL to spread to the user to achieve script attack

3. Measures to prevent XSS?

(1), in the service side rendering, need whole quantity character escaping on HTML templates, pure front rendering in Vue/React technology stack, v – HTML/dangerouslySetInnerHTML function is prohibited

(2) Add content-security-policy to HTTP request headers

(3) http-only: JavaScript is prohibited to read the cookie of the website

CSRF attack

What is a CSRF attack?

CSRF Chinese translation for cross-site request forgery, not so much, to put it simply is to use the browser when visiting the target website, will automatically bring the browser has stored the same origin cookie to request, formally use this automatic bring login state feature to achieve the target website attack

2. CSRF attack route?

Suppose That Joe logs in to Taobao website, and Joe is an attacker. He writes a website B that looks like Taobao and sends the link to Joe. Joe clicks the link and goes to Joe’s website. At this time, the browser has stored the cookie of domain taobao.com locally, so even if it happens on website B taobao.com/getUserInfo, it will automatically bring the cookie of the browser to request and get the final user information, so as to achieve the ultimate goal of stealing user information

3. Measures to prevent CSRF?

(1) Prevent access to unknown outfields: same-origin detection (referrer in the request header), set the sameSite attribute for cookies

(2) Double token authentication: when sending a request, verify the tokens that can only be obtained on the site, such as CSRF token, etc

Click hijacking

1. What is clickjacking?

Click hijacking separate understanding is: the first point need to click, the second point hijacking ha ha ha

2, click the way of hijacking? (Iframe set transparency to 0)

The hacker Li Shi sends the user his website B and guides the user to click the Button in website B to get the red envelope. In fact, what he clicks is not Button, but the Iframe SRC in website B is the Button of taobao.com page to get user information. The Iframe tag is set to opacity:0, so it is invisible to the user

3. Measures to solve click hijacking? (Disable websites being imported by third party websites using iframe tags)

SAMEORIGIN = SAMEORIGIN; SAMEORIGIN = SAMEORIGIN; SAMEORIGIN = SAMEORIGIN; SAMEORIGIN = SAMEORIGIN After setting iframe SRC =”taobao.com” in li’s website B, iframe cannot obtain pages from the domain of Taobao.com through iframe, thus fundamentally solving this problem

Six, transmission security

Speaking of transport security, we have to mention man-in-the-middle attack. What is a man-in-the-middle attack?

1. Man-in-the-middle Attack We know that after we input the url in the browser input box, the request will go through many nodes such as layers of networks and devices, and the request may be hijacked on any node. For example, Zhang SAN visits Taobao.com on his own computer and sends the request to the Taobao.com server. In the middle of the network link, Zhang SAN’s request was intercepted by the hacker Li Si. After that, no matter Zhang SAN in taobao.com login, payment and other operations will be through the hacker Li Si’s server, the hacker Li Si can be lawless to Zhang SAN haha, imagination ~.

2. How do you solve man-in-the-middle attacks?

Some students will say: ‘Use HTTPS’. See “HTTPS you Must Know” for more information about HTTPS.

Seven, password security

1. What does password do?

“Prove you are you”

2. Verification code mechanism?

“Compare the entered password with the stored password”

3. Disadvantages of biometric cryptography?

Biometric passwords such as fingerprint unlocking and facial recognition are handy, but they cannot be changed once stolen

4, symmetric encryption and asymmetric encryption?

See JWT+Node for User Login Authorization Control.