Check items marked with (*) indicate that the item is a fundamental solution to the relevant problem, and you should try your best to complete these contents. Items not marked with (*) indicate that the item cannot completely eliminate safety hazards, but only that safety problems can be avoided through this method.
SQL injection
(*) Use the SQL variable binding function when combining SQL statements
(*) If the database does not provide variable binding, you need to escape all the variables that make up the SQL and do not display the error message intact in the browser.
Set appropriate permissions for users accessing the database.
Operating system command line injection
(*) Avoid using languages that can start shell commands. If you are allowed to start shell commands, you need to check all variables in the parameters of the function to ensure that only legal operations are included and do not check pathname parameters/directory traversal.
(*) Do not use parameters passed in from outside directly as file names.
(*) Limit file opening operations to fixed directories and prohibit file names from containing paths. Set correct access permissions for files on the web server. Check file name session management issues.
(*) Use content that is difficult to guess as the session ID
(*) Do not save session ID in URL
(*) Set the secure attribute for cookies used in https protocol
(*) Generate a new session after successful login
(*) After successful login, generate a secret information in addition to the session ID, and check it every time you visit the page. Do not use a fixed value as the session ID.
When saving session ID to cookie, set expiration date Cross-site scripting attack (XSS)
Solution when inputting HTML content is not allowed
(*) Everything output to the page must be escaped
(*) Only URLs starting with "http://" or "https://" are allowed when outputting URLs
(*) Do not dynamically generate <script>…</script> content
(*) Do not read the style sheet from an external website. Solution to check input content when HTML content is allowed to be entered.
(*) Parse the input HTML content, generate a parse tree, and then extract the non-script parts. Use scripts to delete relevant strings in the input HTML content. A general solution
(*) Re-specify the charset attribute of Content-Type in the HTTP header of the response. To avoid leakage of cookie information, the Trace method should be disabled and the HttpOnly attribute should be set for all cookies. Cross-site request forgery (CSRF)
(*) All pages are accessed through POST. A piece of information is randomly generated in the hidden part of the previous page. The page after submission checks the information and executes it only if it is correct.
(*) Require password again before executing business
(*) Confirm whether the Referer is correct. Only when it is correct, perform important operations and send an email to the preset email address.
HTTP header injection
(*) Do not output HTTP headers directly, but use the header information output API provided by the running environment
(*) When the API cannot be used, line breaks in the input header information must be prohibited. Line breaks in all external inputs must be deleted. Email theft (using some means to send emails to the address specified by the attacker)
(*) Do not use external parameters as email header information. When you must use external parameters to set the header information, delete the dangerous characters.
Copyright statement: You can reprint at will, but the original author Charlee must be cited when reprinting.
Original link: http://tech.idv2.com/2008/04/19/secure-website-checklist/
Specific application strategy reference: PHP Practice Security Checklist