在构建网站的每一个层次都必须考虑网络安全。本章节重点介绍了跨站点标本cross-site scripting (XSS)，SQL注入（SQL injection），跨站点请求和公私秘钥。
- Bro 关于网络安全和流量监测
- quick NIX secure script
- lynis 一款很不错的安全监测工具，可以作为shell脚本运行在Linux系统上，帮你找出系统的薄弱点，让你在弱点被暴露给恶意用户前有机会修复
- How does HTTPS actually work?
- introduction to HTTPS
- what is the difference between TLS and SSL? 解释了TLS是SSL的更新版本
- Security/Server Side TLS guide which Mozilla uses to operationalize its servers.
- If you’re having users submit sensitive information to your site you need to use SSL/TLS. Anything before TLS is now insecure. Check out this handy guide that goes over some of the nuances of the subject.
- The Sorry State of SSL details the history and evolution of SSL/TLS. There are important differences between the versions and Hynek explains why TLS should always be used. The talk prompted work to improve Python’s SSL in 2.7.9 based on the upgrades in Python 3 outlined in The not-so-sorry state of SSL in Python.
- How HTTPS Secures Connections is a guide for what HTTPS does and does not secure against.
- When and How to Deploy HTTPS
- The first few milliseconds of an HTTPS connection provides a detailed look at the SSL handshake process that is implemented by browsers based on the RFC 2818 specification.
- Qualy SSL Server Test can be used to determine what’s in place and what is missing for your server’s HTTPS connection. Once you run the test read this article on Getting an A+ on Qualy’s SSL Labs Tester to improve your situation.
- The Open Web Application Security Project (OWASP) has cheat sheets for security topics.
- This page contains a fantastic curated list of security reading material from beginning to advanced topics.
- The /r/netsec subreddit is one place to go to learn more about network and application security.
- Hacking Tools Repository is a great list of password cracking, scanning, sniffing and other security penetration testing tools.
- Securing an Ubuntu Server
- Securing Ubuntu
- Security Tips from Apache
- Securing a Linux Server
- The EFF has a well written overview on what makes a good security audit. It’s broad but contains some of their behind the scenes thinking on important considerations with security audits.
- Ars Technica wrote posts on securing your website along with how to set up a safe and secure web server: part 1 and part 2 to explain HTTPS and SSL without much required pre-existing knowledge.
- Crypto 101 is an introductory course on cryptography for programmers.
- An in-depth analysis of SSH attacks on Amazon EC2 shows how important it is to secure your web servers, especially when they are hosted in IP address ranges that are commonly scanned by malicious actors.
- Cloud Security Auditing: Challenges and Emerging Approaches is a high-level overview of some of security auditing problems that come with cloud deployments.
- Wondering how the common buffer overflow attack works? Check out this article on buffer overflows that explains the attack in layman’s terms.
- 7 Security Measures to Protect Your Servers provides a good overview of the fundamentals for how servers should be configured for baseline security.
- As you’re developing on Linux, you’ll want to read and follow this Linux workstation security document to make sure your code and environment are not compromised. If you’re on Mac OS X, check out this securing Yosemite guide which covers that environment.
- TLS and Nginx Web Server Hardening explains a secure server configuration for the Nginx web server.
- Timing attacks are one form of vulnerability that can be used to defeat HTTPS in certain configurations. Understanding how those attacks work is important in keeping your users’ connections secure.
- 阅读和了解常见的网络安全问题，包括cross-site request forgery (CSRF), cross-site scripting (XSS), SQL injection and session hijacking。OWASP top 10 web application vulnerabilities list总览了这方面的问题。