name: 安全实现指南 description: 用于认证、授权、输入验证和常见漏洞预防的全面安全模式 license: MIT metadata: adapted-by: ai-skills category: 安全
安全实现指南
用于Web应用程序的生产就绪安全模式。
输入验证
净化
import DOMPurify from 'isomorphic-dompurify';
function sanitizeHTML(dirty: string): string {
return DOMPurify.sanitize(dirty, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
});
}
// SQL注入预防 - 使用参数化查询
const result = await db.query(
'SELECT * FROM users WHERE email = $1',
[email] // 切勿直接插值!
);
XSS预防
// React自动转义
<div>{userInput}</div> // 安全
// 危险 - 避免使用dangerouslySetInnerHTML
<div dangerouslySetInnerHTML={{ __html: sanitizeHTML(userInput) }} />
// 设置安全头
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
}
}
}));
认证
密码哈希
import bcrypt from 'bcrypt'; // allow-secret
async function hashPassword(password: string): Promise<string> { // allow-secret
const saltRounds = 12;
return bcrypt.hash(password, saltRounds); // allow-secret
}
async function verifyPassword(password: string, hash: string): Promise<boolean> { // allow-secret
return bcrypt.compare(password, hash); // allow-secret
}
速率限制
import rateLimit from 'express-rate-limit';
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5, // 5次尝试
message: '登录尝试过多',
standardHeaders: true,
legacyHeaders: false,
});
app.post('/api/login', loginLimiter, loginHandler);
CSRF保护
import csrf from 'csurf';
const csrfProtection = csrf({ cookie: true });
app.get('/form', csrfProtection, (req, res) => {
res.render('form', { csrfToken: req.csrfToken() });
});
app.post('/process', csrfProtection, (req, res) => {
// 受保护的端点
});
集成点
补充:
- security-threat-modeler: 用于威胁分析
- backend-implementation-patterns: 用于安全API
- verification-loop: 用于安全检查