Loading...

Back to Details

web-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Web Security

Web安全

We treat web security as a core requirement, not an afterthought. Assume hostile input and untrusted environments by default.

我们将Web安全视为核心要求，而非事后补充。默认假设输入具有恶意，环境不可信。

Core Principles

核心原则

NEVER trust user input
ALWAYS validate and sanitize data at boundaries
Prefer secure defaults over configurability

绝不信任用户输入
始终在边界处验证和清理数据
优先选择安全默认配置而非可配置性

XSS & Injection

XSS与注入攻击

AVOID
```
dangerouslySetInnerHTML
```
and raw HTML injection
Escape and encode dynamic content properly
Never interpolate untrusted data into HTML, CSS, or JS contexts
Ensure SQL injection protection

避免使用
```
dangerouslySetInnerHTML
```
和原始HTML注入
正确转义和编码动态内容
绝不要将不可信数据插入到HTML、CSS或JS上下文当中
确保防护SQL注入

Authentication & Authorization

身份认证与授权

Do not store secrets or tokens in insecure locations
AVOID localStorage for sensitive credentials when possible
Use HTTP-only, secure cookies where applicable
Always enforce authorization on the server

不要在不安全的位置存储密钥或令牌
尽可能避免使用localStorage存储敏感凭证
适用时使用HTTP-only、安全的Cookie
始终在服务器端强制执行授权验证

Browser Security APIs

浏览器安全API

Respect CORS, CSP, and browser security boundaries
Use Content Security Policy to restrict script and resource execution
Avoid inline scripts and styles when CSP is enabled

遵循CORS、CSP和浏览器安全边界
使用Content Security Policy（内容安全策略）限制脚本和资源的执行
启用CSP时避免使用内联脚本和样式

Data Handling

数据处理

Minimize data exposure
Do not log sensitive information

最小化数据暴露
不要记录敏感信息

Dependencies & Supply Chain

依赖项与供应链

Avoid unnecessary packages
Treat third-party code as untrusted input

避免不必要的包
将第三方代码视为不可信输入

General Principles

通用原则

Simplicity reduces attack surface
If unsure, choose the more restrictive option

简洁性可减少攻击面
若有疑问，选择更具限制性的方案