security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity
安全
Security Checklist
安全检查清单
Security Basics:
- [ ] Authentication required for protected routes
- [ ] Passwords hashed (bcrypt/argon2), never stored plain text
- [ ] API keys in environment variables, not code
- [ ] HTTPS only in production
- [ ] Input validated on server side
- [ ] SQL injection prevented (use parameterized queries)
- [ ] XSS prevented (sanitize user input)
- [ ] CSRF tokens on forms
- [ ] Rate limiting on API endpoints
- [ ] User sessions expire (30min-1hr typical)See COMMON-VULNS.md for detailed checks.
Security Basics:
- [ ] 受保护路由需身份验证
- [ ] 密码已哈希处理(bcrypt/argon2),绝不明文存储
- [ ] API密钥存储在环境变量中,而非代码里
- [ ] 生产环境仅使用HTTPS
- [ ] 服务器端验证输入
- [ ] 防止SQL注入(使用参数化查询)
- [ ] 防止XSS攻击(清理用户输入)
- [ ] 表单添加CSRF令牌
- [ ] API端点设置速率限制
- [ ] 用户会话自动过期(通常30分钟-1小时)查看COMMON-VULNS.md获取详细检查项。
Critical: Never Store These in Code
关键注意事项:绝不要在代码中存储这些内容
Move to environment variables:
- Database passwords
- API keys (Stripe, SendGrid, etc)
- JWT secrets
- OAuth client secrets
- Encryption keys
Tell AI:
Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEY转移到环境变量中:
- 数据库密码
- API密钥(Stripe、SendGrid等)
- JWT密钥
- OAuth客户端密钥
- 加密密钥
告知AI:
Store API keys in .env file, not in code.
Add .env to .gitignore.
Access via process.env.API_KEYAuthentication Basics
身份验证基础
Minimum requirements:
- Passwords: 8+ chars, require number/symbol
- Hash passwords (bcrypt with 10+ rounds)
- Email verification for signups
- Password reset via email only
- Sessions expire (30-60 min idle)
- Logout clears session completely
Tell AI:
Add authentication:
- bcrypt for password hashing (12 rounds)
- Email verification required
- Session timeout: 30 minutes
- Password requirements: 8+ chars, 1 number, 1 symbolSee SECURITY-PROMPTS.md for implementation details.
最低要求:
- 密码:8位以上,需包含数字/符号
- 密码哈希处理(bcrypt使用10+轮次)
- 注册需邮箱验证
- 仅通过邮箱重置密码
- 会话超时(闲置30-60分钟)
- 登出完全清除会话
告知AI:
Add authentication:
- bcrypt for password hashing (12 rounds)
- Email verification required
- Session timeout: 30 minutes
- Password requirements: 8+ chars, 1 number, 1 symbol查看SECURITY-PROMPTS.md获取实现细节。
Data Protection
数据保护
Always encrypt:
- Passwords (hashed, not encrypted)
- Payment info (use Stripe, don't store cards)
- Personal identifiable information (PII)
Never log:
- Passwords (even hashed)
- Credit card numbers
- API keys
- Session tokens
Tell AI:
Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.始终加密:
- 密码(哈希处理,而非加密)
- 支付信息(使用Stripe,勿存储卡片信息)
- 个人可识别信息(PII)
绝不记录:
- 密码(即使是哈希后的)
- 信用卡号
- API密钥
- 会话令牌
告知AI:
Never log sensitive data.
Replace passwords/tokens with "[REDACTED]" in logs.API Security
API安全
Required for all API endpoints:
- Authentication check
- Rate limiting (prevent abuse)
- Input validation
- Error messages don't leak info
Tell AI:
Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)所有API端点的要求:
- 身份验证检查
- 速率限制(防止滥用)
- 输入验证
- 错误信息不泄露敏感内容
告知AI:
Add to all API routes:
- Require valid auth token
- Rate limit: 100 requests/minute per IP
- Validate all inputs (reject invalid)
- Generic error messages (no stack traces to users)Common Vulnerabilities
常见漏洞
Most common in AI-built apps:
- Exposed API keys - In code instead of .env
- No rate limiting - APIs can be spammed
- Missing auth checks - Routes accessible without login
- SQL injection - Raw SQL with user input
- XSS attacks - Unescaped user content displayed
See COMMON-VULNS.md for how to check.
AI构建应用中最常见的漏洞:
- API密钥暴露 - 存储在代码中而非.env
- 无速率限制 - API可能被垃圾请求攻击
- 缺失身份验证检查 - 无需登录即可访问路由
- SQL注入 - 使用用户输入拼接原始SQL
- XSS攻击 - 未转义的用户内容被展示
查看COMMON-VULNS.md了解检查方法。
Security Prompts for AI
用于AI的安全提示词
Adding authentication:
Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.Rate limiting:
Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixedInput validation:
Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error messageSee SECURITY-PROMPTS.md for more.
添加身份验证:
Add authentication to this route.
Require valid JWT token.
Return 401 if missing/invalid.
Don't expose error details.速率限制:
Add rate limiting:
- 100 requests/minute per IP
- Return 429 "Too many requests" if exceeded
- Use sliding window, not fixed输入验证:
Validate all user inputs:
- Email: valid format
- Password: 8+ chars, 1 number, 1 symbol
- Username: alphanumeric only, 3-20 chars
Reject invalid input with clear error message查看SECURITY-PROMPTS.md获取更多内容。
Pre-Launch Security Review
上线前安全审查
Before deploying:
Production Security:
- [ ] All secrets in environment variables
- [ ] HTTPS enforced (no HTTP)
- [ ] Database backups configured
- [ ] Rate limiting on all APIs
- [ ] Error pages don't show stack traces
- [ ] Admin routes protected
- [ ] File uploads validated (type, size)
- [ ] CORS configured (not wildcard "*")部署前检查:
Production Security:
- [ ] 所有密钥存储在环境变量中
- [ ] 强制使用HTTPS(禁止HTTP)
- [ ] 配置数据库备份
- [ ] 所有API设置速率限制
- [ ] 错误页面不显示堆栈跟踪
- [ ] 管理员路由受保护
- [ ] 文件上传已验证(类型、大小)
- [ ] CORS已配置(非通配符"*")When to Get Security Audit
何时需要安全审计
Signs you need expert review:
- Handling payments directly (not Stripe)
- Storing health/financial data
- Multi-tenant with data isolation
- Over 1,000 users
- Processing sensitive PII
For most MVPs: Following this checklist is sufficient.
需要专家审查的迹象:
- 直接处理支付(而非使用Stripe)
- 存储健康/财务数据
- 多租户架构且需数据隔离
- 用户量超过1000
- 处理敏感个人可识别信息
**对于大多数MVP:**遵循本检查清单已足够。
Common Founder Mistakes
创始人常见错误
| Mistake | Fix |
|---|---|
| API keys in code | Move to .env |
| No rate limiting | Add to all endpoints |
| Plain text passwords | Use bcrypt |
| HTTP in production | Force HTTPS |
| Accepting all CORS | Whitelist domains |
| No input validation | Validate server-side |
| Detailed error messages | Generic messages only |
| 错误 | 修复方案 |
|---|---|
| API密钥在代码中 | 转移到.env |
| 无速率限制 | 为所有端点添加 |
| 明文密码 | 使用bcrypt |
| 生产环境使用HTTP | 强制HTTPS |
| 接受所有CORS请求 | 白名单域名 |
| 无输入验证 | 服务器端验证 |
| 详细错误信息 | 仅使用通用信息 |
Quick Wins
快速优化项
Easy security improvements:
- Add Helmet.js (Node) - Sets security headers
- Use HTTPS everywhere - Force in production
- Add rate limiting - Prevents abuse
- Environment variables - Keep secrets safe
- Update dependencies - Fix known vulnerabilities
Tell AI:
Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).简单的安全改进:
- 添加Helmet.js(Node)- 设置安全头
- 全链路使用HTTPS - 生产环境强制启用
- 添加速率限制 - 防止滥用
- 环境变量 - 安全存储密钥
- 更新依赖 - 修复已知漏洞
告知AI:
Add helmet.js for security headers.
Configure for production (HTTPS, CSP, XSS protection).Testing Security
安全测试
Quick checks:
Exposed secrets:
bash
grep -r "api_key" src/
grep -r "password" src/快速检查:
密钥暴露检查:
bash
grep -r "api_key" src/
grep -r "password" src/Should only find references to env vars
应仅找到环境变量的引用
**No auth bypass:**
- Try accessing protected routes without login
- Should redirect to login or return 401
**Rate limiting works:**
- Hit API endpoint 100 times quickly
- Should get 429 error
---
**身份验证绕过检查:**
- 尝试无需登录访问受保护路由
- 应重定向到登录页或返回401
**速率限制有效性检查:**
- 快速调用API端点100次
- 应收到429错误
---Success Looks Like
成功标准
✅ No secrets in code (all in .env)
✅ Can't access protected routes without auth
✅ Passwords hashed, never stored plain text
✅ Rate limiting prevents abuse
✅ HTTPS enforced in production
✅ Input validated on server side
✅ Can't access protected routes without auth
✅ Passwords hashed, never stored plain text
✅ Rate limiting prevents abuse
✅ HTTPS enforced in production
✅ Input validated on server side
✅ 代码中无密钥(全部存储在.env)
✅ 未登录无法访问受保护路由
✅ 密码已哈希处理,绝不明文存储
✅ 速率限制可防止滥用
✅ 生产环境强制HTTPS
✅ 服务器端验证输入
✅ 未登录无法访问受保护路由
✅ 密码已哈希处理,绝不明文存储
✅ 速率限制可防止滥用
✅ 生产环境强制HTTPS
✅ 服务器端验证输入