Shulou(Shulou.com)06/03 Report--

This article will explain in detail the example analysis of the security strategy for the development of Wechat public platform. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

First, set a highly complex Token to hide the service address URL as much as possible

URL: the link address that handles Wechat requests

Token: user identity credential

When applying to become a developer or modify URL\ Token, Wechat will access URL through Get request to verify the signature, in which Token is required.

The process is equivalent to a handshake, and if the handshake is successful, subsequent communication can be carried out.

Dangers:

1. If URL and Token are cracked and directly linked to other public accounts, the service can be stolen directly. Of course, for some advertising type accounts, this is unprofitable. However, if it is a public account that provides certain applications or services, providing services to other accounts free of charge is bound to increase the pressure on the server side and bring certain risks.

2. If URL is cracked, even if token is not cracked. Some lawbreakers may attack the URL, of course, it is not so easy to be targeted by hackers. He he

Recommendations:

1. Try to ensure that the URL of the service is not directly related to the provision of messages or web pages. To prevent the service URL from being inferred from the URL.

2. You can use URL redirection to hide some path information.

3. Determine whether the source of the request is a request from Wechat server in the service. This can be determined based on the URL of the request, and other requests are not processed.

4. Token value, try to be more complex.

2. It is recommended that signature verification be carried out for each request.

After setting up URL or token, Wechat will submit a get request to access our backend service. After the verification is passed, other requests of Wechat are submitted through POST.

So in the code, we often judge whether to verify the signature or not according to the way the request is made. This has also been used in previous examples:

/ process the request and generate a response / public string Response () {string method = Request.HttpMethod.ToUpper () / / verify the signature if (method = = "GET") {if (CheckSignature ()) {return Request.QueryString [ECHOSTR];} else {return "error" }} / / processing message if (method = = "POST") {return ResponseMsg ();} return "cannot be processed";}

Although other requests of Wechat are submitted in POST, its URL also carries the signature information, so we also need to carry out signature verification. Therefore, for the sake of security, it is recommended to carry out signature verification for each request.

According to this principle, we modify the code as follows:

/ process the request and generate a response / public string Response () {string method = Request.HttpMethod.ToUpper () / / verify the signature if (method = = "GET") {if (CheckSignature ()) {return Request.QueryString [ECHOSTR];} else {return "error" }} / / processing message if (method = = "POST") {/ / verify signature if (CheckSignature ()) {return ResponseMsg ();}} return "cannot be processed" }

Signature algorithm CheckSignature (). I won't repeat it here. For more information, please see: the basic framework for Wechat public account development.

Third, you can verify the request according to ToUserName

Usually our public account corresponds to an openId, which can be obtained when processing messages. The openId is fixed and can be used to determine the identity of the sender. In this way, you can filter invalid messages or deception very well, and I will only deal with the messages sent to me. Even if URL and Token are cracked, it can also guarantee that the back-end service only provides services for our public accounts.

/ / is it sent to me / recipient / bool private bool IsSentToMe (string toUserName) {return string.Equals (toUserName,Context.OpenID,StringComparison.OrdinalIgnoreCase);} IV, AppId and AppSecret

If it is a service number, there are some advanced features that require developer credentials: AppId and AppSecret.

ACCESS_TOKEN can be obtained according to AppId and AppSecret, and advanced functions can be managed according to ACCESS_TOKEN, such as custom menus.

ACESS_TOKEN has an expiration time, usually 7200s. However, AppId and AppSecret are randomly generated by the system, and there is no expiration time. If you need to modify them, you need to log in to the Wechat public account management platform to reset.

Get Access_Token. Request the following URL through Get

Https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=xxxx&secret=xxxx.

After you get the Access_Token, you can manipulate some advanced interfaces

For example:

Create a custom menu through http request: POST (please use https protocol)

Https://api.weixin.qq.com/cgi-bin/menu/create?access_token=ACCESS_TOKEN

For more information on how to implement it, please see Wechat Public account Development Custom menu

ACCESS_TOKEN is obtained through the get method, in fact, it is not very secure, if it is stolen, it can modify the link of the custom menu, you can change it into some advertising links, or more evil links, your server has directly become someone else's meat machine. So be sure to keep the server safe. For security reasons, it is recommended to reset AppId and AppSecret (the backend service page of Wechat public platform) from time to time. It is important to ensure the security of the allowed server, which can be found in five.

5. Ensure the security of the server

There are many elements of server security, such as: ensuring network security, setting firewalls, installing antivirus software, restricting some ports, and so on, which is the same as our usual server security requirements. There is a lot of information in this respect, so I will not repeat it here.

This is the end of the article on "example Analysis of the Security Strategy for the Development of Wechat Public platform". I hope the above content can be of some help to you, so that you can learn more knowledge. If you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.