【正文】 720魏建雄 00222906謝和坤 00197709李田 00042091孫波 00175839王偉 00207440陳偉 00141500增加“規(guī)則、規(guī)則、規(guī)則、建議、 PHP”增加“ RESTful Web 4 / 37規(guī)范號 主要起草部門專家 主要評審部門專家 修訂情況朱雙紅 00051429 Service”修改“規(guī)則、規(guī)則、規(guī)則、規(guī)則”刪除“ 口令策略”和“規(guī)則、規(guī)則、規(guī)則”附件文檔作為對象直接插入主文檔5 / 37目 錄 Table of Contents1 概述 ...........................................................................................................................................7 背景簡介 ...................................................................................................................................7 技術(shù)框架 ...................................................................................................................................8 使用對象 ...................................................................................................................................9 適用范圍 ...................................................................................................................................9 用詞約定 ...................................................................................................................................92 常見WEB安全漏洞 ...............................................................................................................103 WEB設(shè)計安全規(guī)范 ...............................................................................................................11 WEB部署要求 .........................................................................................................................11 身份驗證 .................................................................................................................................12 口令 ..............................................................................................................12 認(rèn)證 ..............................................................................................................12 驗證碼 ..........................................................................................................15 會話管理 .................................................................................................................................16 權(quán)限管理 .................................................................................................................................17 敏感數(shù)據(jù)保護 .........................................................................................................................18 敏感數(shù)據(jù)定義 ..............................................................................................18 敏感數(shù)據(jù)存儲 ..............................................................................................18 敏感數(shù)據(jù)傳輸 ..............................................................................................20 安全審計 .................................................................................................................................21 WEB SERVICE .........................................................................................................................22 RESTFUL WEB SERVICE........................................................................................................23 DWR .......................................................................................................................................244 WEB編程安全規(guī)范 ...............................................................................................................25 輸入校驗 .................................................................................................................................25 輸出編碼 .................................................................................................................................30 上傳下載 .................................................................................................................................306 / 37 異常處理 .................................................................................................................................31 代碼注釋 .................................................................................................................................31 歸檔要求 .................................................................................................................................32 其他 .........................................................................................................................................33 PHP.........................................................................................................................................345 WEB安全配置規(guī)范 ...............................................................................................................366 配套CBB介紹 ........................................................................................................................37 WAF CBB...............................................................................................................................37 驗證碼CBB .............................................................................................................................387 附件 .........................................................................................................................................38 附件1 TOMCAT配置SSL指導(dǎo) ................................................................................................38 附件2 WEB SERVICE 安全接入開發(fā)指導(dǎo) .............................................................................38 附件3 客戶端IP 鑒權(quán)實施指導(dǎo) .............................................................................................38 附件4 口令安全要求 .............................................................................................................38 附件5 WEB權(quán)限管理設(shè)計規(guī)格說明書 ..................................................................................397 / 37Web 應(yīng)用安全開發(fā)規(guī)范 1 概述 背景簡介在 Inter 大眾化及 Web 技術(shù)飛速演變的今天，Web 安全所面臨的挑戰(zhàn)日益嚴(yán)峻。本規(guī)范就是提供一套完善的、系統(tǒng)化的、實用的 Web 安全開發(fā)方法供 Web 研發(fā)人員使用，以