Security Patterns

安全模式

Essential security patterns for web applications.

Web应用必备的安全模式。

OWASP Top 10 Quick Reference

OWASP Top 10 速查参考

Rank	Vulnerability	Prevention
A01	Broken Access Control	Check permissions server-side, deny by default
A02	Cryptographic Failures	Use TLS, hash passwords, encrypt sensitive data
A03	Injection	Parameterized queries, validate input
A04	Insecure Design	Threat modeling, secure defaults
A05	Security Misconfiguration	Harden configs, disable unused features
A06	Vulnerable Components	Update dependencies, audit regularly
A07	Auth Failures	MFA, rate limiting, secure session management
A08	Data Integrity Failures	Verify signatures, use trusted sources
A09	Logging Failures	Log security events, protect logs
A10	SSRF	Validate URLs, allowlist destinations

排名	漏洞类型	预防措施
A01	访问控制失效	在服务器端检查权限，默认拒绝所有请求
A02	加密机制失败	使用TLS，哈希密码，加密敏感数据
A03	注入攻击	使用参数化查询，验证输入
A04	不安全设计	进行威胁建模，采用安全默认配置
A05	安全配置错误	加固配置，禁用未使用功能
A06	易受攻击的组件	定期更新依赖项，进行审计
A07	身份认证失败	启用多因素认证（MFA），设置速率限制，安全管理会话
A08	数据完整性失败	验证签名，使用可信数据源
A09	日志记录失败	记录安全事件，保护日志数据
A10	SSRF	验证URL，使用白名单指定目标地址

Input Validation

输入验证

python

undefined

python

undefined

WRONG - Trust user input

def search(query): return db.execute(f"SELECT * FROM users WHERE name = '{query}'")

CORRECT - Parameterized query

def search(query): return db.execute("SELECT * FROM users WHERE name = ?", [query])

undefined

def search(query): return db.execute("SELECT * FROM users WHERE name = ?", [query])

undefined

Validation Rules

验证规则

Always validate:
- Type (string, int, email format)
- Length (min/max bounds)
- Range (numeric bounds)
- Format (regex for patterns)
- Allowlist (known good values)

Never trust:
- URL parameters
- Form data
- HTTP headers
- Cookies
- File uploads

始终要验证：
- 类型（字符串、整数、邮箱格式）
- 长度（最小/最大限制）
- 范围（数值边界）
- 格式（使用正则匹配模式）
- 白名单（已知合法值）

绝不要信任：
- URL参数
- 表单数据
- HTTP请求头
- Cookie
- 文件上传

Output Encoding

输出编码

javascript

// WRONG - Direct HTML insertion
element.innerHTML = userInput;

// CORRECT - Text content (auto-escapes)
element.textContent = userInput;

// CORRECT - Template with escaping
render(`<div>${escapeHtml(userInput)}</div>`);

javascript

// WRONG - Direct HTML insertion
element.innerHTML = userInput;

// CORRECT - Text content (auto-escapes)
element.textContent = userInput;

// CORRECT - Template with escaping
render(`<div>${escapeHtml(userInput)}</div>`);

Encoding by Context

按场景选择编码方式

Context	Encoding
HTML body	HTML entity encode
HTML attribute	Attribute encode + quote
JavaScript	JS encode
URL parameter	URL encode
CSS	CSS encode

场景	编码方式
HTML主体	HTML实体编码
HTML属性	属性编码+引号包裹
JavaScript	JS编码
URL参数	URL编码
CSS	CSS编码

Authentication

身份认证

python

undefined

python

undefined

Password hashing (use bcrypt, argon2, or scrypt)

import bcrypt

def hash_password(password: str) -> bytes: return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

def verify_password(password: str, hashed: bytes) -> bool: return bcrypt.checkpw(password.encode(), hashed)

undefined

import bcrypt

def hash_password(password: str) -> bytes: return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

def verify_password(password: str, hashed: bytes) -> bool: return bcrypt.checkpw(password.encode(), hashed)

undefined

Auth Checklist

身份认证检查清单

Hash passwords with bcrypt/argon2 (cost factor 12+)
Implement rate limiting on login
Use secure session tokens (random, long)
Set secure cookie flags (HttpOnly, Secure, SameSite)
Implement account lockout after failed attempts
Support MFA for sensitive operations

使用bcrypt/argon2哈希密码（成本因子≥12）
对登录接口设置速率限制
使用安全的会话令牌（随机、长字符）
设置安全Cookie标记（HttpOnly、Secure、SameSite）
多次登录失败后锁定账户
敏感操作支持多因素认证（MFA）

Authorization

授权

python

undefined

python

undefined

WRONG - Check only authentication

@login_required def delete_post(post_id): post = Post.get(post_id) post.delete()

CORRECT - Check authorization

@login_required def delete_post(post_id): post = Post.get(post_id) if post.author_id != current_user.id and not current_user.is_admin: raise Forbidden("Not authorized to delete this post") post.delete()

undefined

@login_required def delete_post(post_id): post = Post.get(post_id) if post.author_id != current_user.id and not current_user.is_admin: raise Forbidden("Not authorized to delete this post") post.delete()

undefined

Secrets Management

密钥管理

bash

undefined

bash

undefined

WRONG - Hardcoded secrets

API_KEY = "sk-1234567890abcdef"

CORRECT - Environment variables

API_KEY = os.environ["API_KEY"]

BETTER - Secrets manager

API_KEY = secrets_client.get_secret("api-key")

undefined

API_KEY = secrets_client.get_secret("api-key")

undefined

Secret Handling Rules

密钥处理规则

DO:
- Use environment variables or secrets manager
- Rotate secrets regularly
- Use different secrets per environment
- Audit secret access

DON'T:
- Commit secrets to git
- Log secrets
- Include secrets in error messages
- Share secrets in plain text

应当：
- 使用环境变量或密钥管理工具
- 定期轮换密钥
- 不同环境使用不同密钥
- 审计密钥访问记录

禁止：
- 将密钥提交到git仓库
- 记录密钥信息
- 在错误信息中包含密钥
- 明文分享密钥

Security Headers

安全响应头

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()

Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()

Quick Security Audit

快速安全审计

bash

undefined

bash

undefined

Find hardcoded secrets

rg -i "(password|secret|api_key|token)\s*=\s*['"][^'"]+['"]" --type py

Find SQL injection risks

rg "execute(f['"]|format(" --type py

Find eval/exec usage

rg "\b(eval|exec)\s*(" --type py

Check for TODO security items

rg -i "TODO.*security|FIXME.*security"

undefined

rg -i "TODO.*security|FIXME.*security"

undefined

Additional Resources

额外资源

```
./references/owasp-detailed.md
```
- Full OWASP Top 10 details
```
./references/auth-patterns.md
```
- JWT, OAuth, session management
```
./references/crypto-patterns.md
```
- Encryption, hashing, signatures
```
./references/secure-headers.md
```
- HTTP security headers guide

```
./references/owasp-detailed.md
```
- OWASP Top 10 详细说明
```
./references/auth-patterns.md
```
- JWT、OAuth、会话管理
```
./references/crypto-patterns.md
```
- 加密、哈希、签名
```
./references/secure-headers.md
```
- HTTP安全响应头指南

Scripts

脚本工具

```
./scripts/security-scan.sh
```
- Quick security grep patterns
```
./scripts/dependency-audit.sh
```
- Check for vulnerable dependencies

```
./scripts/security-scan.sh
```
- 快速安全 grep 扫描规则
```
./scripts/dependency-audit.sh
```
- 检查易受攻击的依赖项

security-patterns

Original

Translation

Security Patterns

安全模式

OWASP Top 10 Quick Reference

OWASP Top 10 速查参考

Input Validation

输入验证

WRONG - Trust user input

WRONG - Trust user input

CORRECT - Parameterized query

CORRECT - Parameterized query

Validation Rules

验证规则

Output Encoding

输出编码

Encoding by Context

按场景选择编码方式

Authentication

身份认证

Password hashing (use bcrypt, argon2, or scrypt)

Password hashing (use bcrypt, argon2, or scrypt)

Auth Checklist

身份认证检查清单

Authorization

授权

WRONG - Check only authentication

WRONG - Check only authentication

CORRECT - Check authorization

CORRECT - Check authorization

Secrets Management

密钥管理

WRONG - Hardcoded secrets

WRONG - Hardcoded secrets

CORRECT - Environment variables

CORRECT - Environment variables

BETTER - Secrets manager

BETTER - Secrets manager

Secret Handling Rules

密钥处理规则

Security Headers

安全响应头

Quick Security Audit

快速安全审计

Find hardcoded secrets

Find hardcoded secrets

Find SQL injection risks

Find SQL injection risks

Find eval/exec usage

Find eval/exec usage

Check for TODO security items

Check for TODO security items

Additional Resources

额外资源

Scripts

脚本工具