课程: Programming Foundations: Web Security

今天就学习课程吧!

今天就开通帐号,24,600 门业界名师课程任您挑!

Keep error messages vague

Keep error messages vague

课程: Programming Foundations: Web Security

开始一个月试用 购买团队方案

Keep error messages vague

- Hackers use the results of their actions to improve their chances of success. Imagine that a hacker visits a standard login page on a website and tries a username and password. If the response is username not found, then the hacker knows to try a different username. If after a few tries the response changes to password not found, then they'll know that they've made progress and they have found a valid username. A more secure approach is to return an identical login failed message in both cases. Don't tell a hacker when their actions are getting warmer or colder. They can use that information to adjust their attacks. Give as little information back as necessary. This applies to all user messages, but especially to error messages. These may be errors that you're expecting and handling, like failed logins, or they may be unexpected errors caused by bugs in your code. When you're in the process of developing a website…

内容