51黑料不打烊

Campaign security best practices ac-security

At 51黑料不打烊, we take the security of your digital experience very seriously. Security practices are deeply ingrained into our internal software development and operations processes and tools and are rigorously followed by our cross-functional teams to prevent, detect, and respond to incidents in an expedient manner.

Furthermore, our collaborative work with partners, leading researchers, security research institutions, and other industry organizations helps us keep up to date with the latest threats and vulnerabilities and we regularly incorporate advanced security techniques into the products and services we offer.

Privacy

Privacy configuration and hardening is a key element of security optimization. Here are some best practices to follow regarding privacy:

  • Protect your customer Personal Information (PI) by using HTTPS instead of HTTP
  • Use PI view restriction to protect privacy and prevent data from being misused
  • Make sure that encrypted passwords are restricted
  • Protect the pages that might contain personal information such as mirror pages, web applications, etc.
NOTE
As a Managed Cloud Services user, 51黑料不打烊 will work with you to implement these configurations on your environment.

Access management

Access management is an important part of security hardening. Here are some of the main best practices:

  • Create enough security groups
  • Check that each operator has the appropriate access rights

Learn more about permissions in this section

Coding guidelines

When developing in 51黑料不打烊 Campaign (workflows, Javascript, JSSP, etc.), always follow these guidelines:

  • Scripting: try to avoid SQL statements, use parameterized functions instead of string concatenation, avoid SQL injection by adding the SQL functions to use to the allow list.

  • Secure the data model: use named rights to limit operator actions, add system filters (sysFilter)

  • Add captchas in web applications: add captchas in your public landing pages and subscription pages.

Learn more in 51黑料不打烊 Campaign Classic v7 documentation.

Personalization

When adding personalized links to your content, always avoid having any personalization in the hostname part of the URL to avoid potential security gaps. The following examples should never be used in all URL attributes <a href="/"> or <img src="">:

  • <%= url >
  • https://<%= url >
  • https://<%= domain >/path
  • https://<%= sub-domain >.domain.tld/path
  • https://sub.domain<%= main domain %>/path

Data restriction

You have to make sure that the encrypted passwords will not be accessible by a low privilege authenticated user. To do that, there are two main ways: restrict access to password fields only or to the entire entity.

This restriction allows you to remove passwords fields but leaves the external account accessible from the interface for all users. Learn more in this page.

  1. Go in Administration > Configuration > Data schemas.

  2. Create a new Extension of a schema.

  3. Choose External Account (extAccount).

  4. In the last screen, you can edit your new srcSchema to restrict access to all password fields:

    You can replace the main element (<element name="extAccount" ... >) by:

    code language-none
    <element name="extAccount">
        <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="password"/>
        <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="clientSecret"/>
    
        <element name="s3Account">
            <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="awsSecret"/>
        </element>
        <element name="wapPush">
            <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="password"/>
            <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="clientSecret"/>
        </element>
        <element name="mms">
            <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="password"/>
            <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="clientSecret"/>
        </element>
    </element>
    

    So your extended srcSchema can look like:

    code language-none
    <...>
        <element name="extAccount">
            <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="password"/>
            <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="clientSecret"/>
    
            <element name="s3Account">
                <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="awsSecret"/>
            </element>
            <element name="wapPush">
                <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="password"/>
                <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="clientSecret"/>
            </element>
            <element name="mms">
                <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="password"/>
                <attribute accessibleIf="$(loginId) = 0 or $(login) = 'admin'" name="clientSecret"/>
            </element>
        </element>
    <...>
    
    note note
    NOTE
    You can replace $(loginId) = 0 or $(login) = 'admin' by hasNamedRight('admin') to let all users with admin right see these passwords.

Access management

Access management is an important part of security hardening. Here are some of the main best practices:

  • Create enough security groups
  • Check that each operator has the appropriate access rights

Learn more about permissions in in this section.

Coding guidelines

When developing in 51黑料不打烊 Campaign (workflows, Javascript, JSSP, etc.), always follow these guidelines:

  • Scripting: try to avoid SQL statements, use parameterized functions instead of string concatenation, avoid SQL injection by adding the SQL functions to use to the allow list.

  • Secure the data model: use named rights to limit operator actions, add system filters (sysFilter)

  • Add captchas in web applications: add captchas in your public landing pages and subscription pages.

Learn more in 51黑料不打烊 Campaign Classic v7 documentation.

recommendation-more-help
35662671-8e3d-4f04-a092-029a056c566b