使用Google App Engine时需要解决哪些安全问题? [英] What security issues need to be addressed when working with Google App Engine?
问题描述
我一直在考虑将Google App Engine用于一些业余爱好项目。虽然他们不会处理任何敏感数据,但我仍然希望通过诸如了解安全,法律等多种原因使它们相对安全。
使用Google App Engine时需要解决哪些安全问题?
与其他应用程序相同的问题 - 例如用其他语言编写的应用程序或以其他方式托管的应用程序 - 面临着?
编辑:我做了一些搜索,看起来我需要清理输入 XSS and Injection。还有什么其他的事情需要考虑? 而不是避免查询注入和标记注入问题的方法。在输出阶段使用正确的转义形式 是...或甚至更好,使用更高级的工具来处理它。
$ b $因此,为防止针对GQL的查询注入,请使用 GqlQuery 。为防止针对HTML(通向XSS)的标记注入,请使用您使用的任何模板语言的HTML转义功能。例如,对于Django模板,
| escape
...或者,更好的是, {%autoescape%}
不要不小心漏掉一个。 I've been considering using Google App Engine for a few hobby projects. While they won't be handling any sensitive data, I'd still like to make them relatively secure for a number of reasons, like learning about security, legal, etc.
What security issues need to be addressed when working with Google App Engine?
Are they the same issues that other applications - like applications written in other languages or hosted in other ways - are faced with?
Edit: I did some searching it looks like I need to sanitize input for XSS and Injection. What are other things to consider?
"Sanitising" input is not the way to avoid query-injection and markup-injection problems. Using the correct form of escaping at the output stage is... or, even better, using a higher-level tool that deals with it for you.
So for preventing query-injection against GQL, use the parameter-binding interface of GqlQuery. For preventing markup-injection against HTML (leading to XSS), use the HTML-escaping feature of whatever templating language you're using. For example, for Django templates, |escape
... or, better, {% autoescape on %}
so you don't accidentally miss one.
这篇关于使用Google App Engine时需要解决哪些安全问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!