Web 应用程序安全外文文献翻译
consul>英文谷歌
(含:英文原文及中文译文)
英文原文
Basic Security Practices for Web Applications
Even if you have limited experience with and knowledge of application curity, there are basic measures that you should take to help protect your Web applications. The following ctions in this topic provide minimum-curity guidelines that apply to all Web applications. General Web Application Security Recommendations; Run Applications with Minimum Privileges; Know Y our Urs; Guard against Malicious Ur Input; Access Databas Securely; Create Safe Error Messages; Keep Sensitive Information Safely; U Cookies Securely; Guard Against Denial-of-Service Threats.
1. General Web Application Security Recommendations
Even the most elaborate application curity can fail if a malicious ur can u simple ways to gain access to your computers. General Web application curity recommendations include the following: Back up data often and keep your backups physically cure. Keep your Web rver physically cure
so that unauthorized urs cannot gain access to it, turn it off, and physically steal it, and so on. U the Windows NTFS file system, not FA T32. NTFS offers substantially more curity than
FA T32. Protect the Web rver and all of the computers on the same network with strong passwords. Follow best practices for curing Internet Information Services (IIS). Clo any unud ports and turn off unud rvices. Run a virus checker that monitors site traffic. U a firewall. Learn about and install the latest curity updates from Microsoft and other vendors. U Windows event logging and examine the logs frequently for suspicious activity. This includes repeated attempts to log on to your system and excessive requests against your Web rver.
google翻译插件
2. Run Applications with Minimum Privileges
When your application runs, it runs within a context that has specific privileges on the local computer and potentially on remote computers. For information about configuring application identity, e Configuring ASP Process Identity. To run with the minimum number of privileges needed, follow the guidelines: Do not run your application with the identity of a system ur (administrator).Run the application in the context of a ur with the minimum practical privileges. Set permissions (ACL’s, or Access Control Lists) on all the resources required for your application. U the most restr
恭喜发财 英文ictive tting. For example, if practical in your application, t files to be read-only. For a list of the minimum ACL permissions required for the identity of your ASP application, e ASP Required Access Control Lists (ACL’s).Keep files for your Web application in a folder below the
expresswayapplication root. Do not allow urs the option of specifying a path for any file access in your application. This helps prevent urs from getting access to the root of your rver.
3. Know Y our Urs
In many applications, it is possible for urs to access the site without having to provide credentials. If so, your application access resources by running in the context of a predefined ur. By default, this context is the local ASPNET ur (Windows 2000 or Windows XP) or NETWORK SERVICE ur (Windows Server 2003) on the Web rver. To restrict access to urs who are authenticated, follow the guidelines: If your application is an intranet application, configure it to u Windows Integrated curity. This way, the ur's login credentials can be ud to access resources. If you need to gather credentials from the ur, u one of the ASP authentication strategies. For an example, e the ASP Forms Authentication Overview.
4. Guard against Malicious Ur Input
toAs a general rule, never assume that input you get from urs is safe. It is easy for malicious urs to nd potentially dangerous information from the client to your application. To help guard against malicious input, follow the guidelines: In forms, filter ur input to check for HTML tags, which might contain script. For details, e How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to
Strings. Never echo (display) unfiltered ur input. Before displaying entrusted information, encode HTML to turn potentially harmful script into display strings. Similarly, never store unfiltered ur input in a databa. If you want to accept some HTML from a ur, filter it manually. In your filter, explicitly define what you will accept. Do not create a filter that tries to filter out malicious input; it is very difficult to anticipate all possible malicious input. Do not assume that information you get from the header (usually via the Request object) is safe. U safeguards for query strings, cookies, and so on. Be aware that information that the browr reports to the rver (ur agent information) can be spoofed, in ca that is important in your application. If possible, do not store nsitive information in a place that is accessible from the browr, such as hidden fields or cookies.
吸血鬼日记第一季105. Access Databas Securely
Databas typically have their own curity. An important aspect Web application curity is designing a way for the application to access the databa curely. Follow the guidelines: U the inherent curity of your databa to limit who can access databa resources. The exact strategy depends on your databa and your application:
tensai
If practical in your application, u Windows Integrated curity so that only Windows-authenticated urs can access the databa. Integrated curity is more cure than using SQL Server standard curity. If yourconfusionmatrix
application us anonymous access, create a single ur with very limited permissions, and perform queries by connecting as this ur. Do not create SQL statements by concatenating strings that involve ur input. Instead, create a parameterized query and u ur input to t parameter values. If you must store a ur name and password somewhere to u as the databa login credential, store them curely. If practical, encrypt or hash them. For details, e Encrypting and Decrypting Data.
curiosity
6. Create Safe Error Messages
If you are not careful, a malicious ur can deduce important information about your application from
the error messages it displays. Follow the guidelines: Do not write error messages that echo information that might be uful to malicious urs, such as a ur name. Configure the application not to show detailed errors to urs. If you want to display detailed error messages for debugging, check first that the ur is local to the Web rver. For details, e How to: Display Safe Error Messages. U the custom Errors configuration element to control who can view exceptions from the rver. Create custom error handling for situations that are prone to error, such as databa access.
7. Keep Sensitive Information Safely
Sensitive information is any information that you need to keep private. A typical piece of nsitive information is a password or an encryption key. If a malicious ur can get to the nsitive information,
