使用Google App Engine时需要解决哪些安全问题？ [英] What security issues need to be addressed when working with Google App Engine?

问题描述

我一直在考虑将Google App Engine用于一些业余爱好项目。虽然他们不会处理任何敏感数据，但我仍然希望通过诸如了解安全，法律等多种原因使它们相对安全。

使用Google App Engine时需要解决哪些安全问题？

与其他应用程序相同的问题 - 例如用其他语言编写的应用程序或以其他方式托管的应用程序 - 面临着？

编辑：我做了一些搜索，看起来我需要清理输入 XSS and Injection。还有什么其他的事情需要考虑？ 而不是避免查询注入和标记注入问题的方法。在输出阶段使用正确的转义形式 是...或甚至更好，使用更高级的工具来处理它。

$ b $因此，为防止针对GQL的查询注入，请使用 GqlQuery 。为防止针对HTML（通向XSS）的标记注入，请使用您使用的任何模板语言的HTML转义功能。例如，对于Django模板， | escape ...或者，更好的是， {％autoescape％} 不要不小心漏掉一个。

I've been considering using Google App Engine for a few hobby projects. While they won't be handling any sensitive data, I'd still like to make them relatively secure for a number of reasons, like learning about security, legal, etc.

What security issues need to be addressed when working with Google App Engine?

Are they the same issues that other applications - like applications written in other languages or hosted in other ways - are faced with?

Edit: I did some searching it looks like I need to sanitize input for XSS and Injection. What are other things to consider?

解决方案

"Sanitising" input is not the way to avoid query-injection and markup-injection problems. Using the correct form of escaping at the output stage is... or, even better, using a higher-level tool that deals with it for you.

So for preventing query-injection against GQL, use the parameter-binding interface of GqlQuery. For preventing markup-injection against HTML (leading to XSS), use the HTML-escaping feature of whatever templating language you're using. For example, for Django templates, |escape... or, better, {% autoescape on %} so you don't accidentally miss one.

这篇关于使用Google App Engine时需要解决哪些安全问题？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！