当前位置：首页 > news >正文

Web 前端安全防护：防范常见攻击与漏洞的策略

news 2025/7/8 15:08:50

Web 前端安全防护：防范常见攻击与漏洞的策略

网络安全从来不是"别人的事"。当你的用户在浏览器中输入敏感信息时，当你的应用处理支付数据时，当你的网站存储用户隐私时，安全就成了头等大事。

在过去的安全审计项目中，我发现90%的前端安全问题都源于对基础攻击手段的认识不足。XSS、CSRF、点击劫持这些看似简单的攻击，却能造成用户数据泄露、资金损失等严重后果。今天我们就来深入了解前端安全的核心防护策略。

XSS 攻击防护

理解 XSS 攻击类型

XSS（跨站脚本攻击）是最常见的前端安全威胁：

// 存储型 XSS 防护
class XSSProtection {constructor() {this.htmlEntities = {'<': '&lt;','>': '&gt;','"': '&quot;',"'": '&#x27;','&': '&amp;','/': '&#x2F;'};}// HTML 实体编码escapeHtml(text) {if (typeof text !== 'string') return text;return text.replace(/[<>"'&\/]/g, (match) => {return this.htmlEntities[match];});}// 更严格的 HTML 清理sanitizeHtml(html) {// 创建临时 DOM 元素const temp = document.createElement('div');temp.textContent = html;return temp.innerHTML;}// 使用 DOMPurify 进行深度清理deepSanitize(html) {if (typeof DOMPurify !== 'undefined') {return DOMPurify.sanitize(html, {ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p', 'br'],ALLOWED_ATTR: []});}return this.sanitizeHtml(html);}// 安全的 innerHTML 设置safeSetInnerHTML(element, content) {const sanitized = this.deepSanitize(content);element.innerHTML = sanitized;}// 检测潜在的 XSS 攻击detectXSS(input) {const xssPatterns = [/<script[^>]*>[\s\S]*?<\/script>/gi,/<iframe[^>]*>[\s\S]*?<\/iframe>/gi,/javascript:/gi,/on\w+\s*=/gi,/<img[^>]*onerror[^>]*>/gi,/eval\s*\(/gi,/expression\s*\(/gi];return xssPatterns.some(pattern => pattern.test(input));}// 内容安全策略辅助generateCSPNonce() {const array = new Uint8Array(16);crypto.getRandomValues(array);return Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('');}
}// 使用示例
const xssProtection = new XSSProtection();// 用户输入处理
function handleUserInput(input) {// 检测 XSS 攻击if (xssProtection.detectXSS(input)) {console.warn('检测到潜在 XSS 攻击:', input);return null;}// 清理并返回安全内容return xssProtection.escapeHtml(input);
}// 安全的模板渲染
function renderTemplate(template, data) {let result = template;Object.keys(data).forEach(key => {const value = xssProtection.escapeHtml(data[key]);result = result.replace(new RegExp(`{{${key}}}`, 'g'), value);});return result;
}// 动态内容插入
function safeAppendContent(container, content) {const sanitized = xssProtection.deepSanitize(content);container.insertAdjacentHTML('beforeend', sanitized);
}

Content Security Policy (CSP) 实现

// CSP 策略管理
class CSPManager {constructor() {this.policies = {'default-src': ["'self'"],'script-src': ["'self'"],'style-src': ["'self'", "'unsafe-inline'"],'img-src': ["'self'", 'data:', 'https:'],'font-src': ["'self'"],'connect-src': ["'self'"],'frame-ancestors': ["'none'"],'base-uri': ["'self'"],'form-action': ["'self'"]};this.nonces = new Set();}// 生成 CSP 头部generateCSPHeader() {const directives = Object.entries(this.policies).map(([directive, sources]) => `${directive} ${sources.join(' ')}`).join('; ');return `Content-Security-Policy: ${directives}`;}// 添加可信源addTrustedSource(directive, source) {if (this.policies[directive]) {this.policies[directive].push(source);}}// 生成脚本 noncegenerateScriptNonce() {const nonce = this.generateRandomString(32);this.nonces.add(nonce);// 添加到 script-src 策略if (!this.policies['script-src'].includes(`'nonce-${nonce}'`)) {this.policies['script-src'].push(`'nonce-${nonce}'`);}return nonce;}// 验证 noncevalidateNonce(nonce) {return this.nonces.has(nonce);}// 生成随机字符串generateRandomString(length) {const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';let result = '';for (let i = 0; i < length; i++) {result += chars.charAt(Math.floor(Math.random() * chars.length));}return result;}// 违规报告处理setupViolationReporting() {this.policies['report-uri'] = ['/csp-violation-report'];// 监听 CSP 违规事件document.addEventListener('securitypolicyviolation', (event) => {this.handleCSPViolation(event);});}handleCSPViolation(event) {const violationData = {documentURI: event.documentURI,violatedDirective: event.violatedDirective,blockedURI: event.blockedURI,lineNumber: event.lineNumber,columnNumber: event.columnNumber,sourceFile: event.sourceFile,timestamp: Date.now()};// 发送违规报告this.sendViolationReport(violationData);}async sendViolationReport(data) {try {await fetch('/api/csp-violation', {method: 'POST',headers: {'Content-Type': 'application/json'},body: JSON.stringify(data)});} catch (error) {console.error('CSP 违规报告发送失败:', error);}}
}// 使用示例
const cspManager = new CSPManager();// 设置 CSP 策略
cspManager.addTrustedSource('script-src', 'https://cdn.example.com');
cspManager.addTrustedSource('style-src', 'https://fonts.googleapis.com');// 生成 CSP 头部
const cspHeader = cspManager.generateCSPHeader();
console.log(cspHeader);// 为内联脚本生成 nonce
const scriptNonce = cspManager.generateScriptNonce();
console.log('Script nonce:', scriptNonce);

CSRF 攻击防护

Token 验证机制

// CSRF 防护令牌管理
class CSRFProtection {constructor() {this.tokenName = 'csrf_token';this.headerName = 'X-CSRF-Token';this.cookieName = 'csrf_cookie';this.tokenExpiry = 3600000; // 1小时}// 生成 CSRF 令牌generateToken() {const array = new Uint8Array(32);crypto.getRandomValues(array);const token = Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('');// 存储到 sessionStorageconst tokenData = {token: token,timestamp: Date.now(),expiry: Date.now() + this.tokenExpiry};sessionStorage.setItem(this.tokenName, JSON.stringify(tokenData));// 设置 cookie（HttpOnly）this.setCookie(this.cookieName, token, {httpOnly: true,secure: true,sameSite: 'strict',maxAge: this.tokenExpiry / 1000});return token;}// 获取当前令牌getToken() {const stored = sessionStorage.getItem(this.tokenName);if (!stored) return null;try {const tokenData = JSON.parse(stored);// 检查过期时间if (Date.now() > tokenData.expiry) {this.clearToken();return null;}return tokenData.token;} catch (error) {console.error('CSRF 令牌解析失败:', error);return null;}}// 验证令牌validateToken(token) {const currentToken = this.getToken();return currentToken && currentToken === token;}// 清除令牌clearToken() {sessionStorage.removeItem(this.tokenName);this.deleteCookie(this.cookieName);}// 设置 CookiesetCookie(name, value, options = {}) {let cookieString = `${name}=${value}`;if (options.maxAge) {cookieString += `; Max-Age=${options.maxAge}`;}if (options.secure) {cookieString += '; Secure';}if (options.httpOnly) {cookieString += '; HttpOnly';}if (options.sameSite) {cookieString += `; SameSite=${options.sameSite}`;}document.cookie = cookieString;}// 删除 CookiedeleteCookie(name) {document.cookie = `${name}=; Max-Age=0; Path=/`;}// 自动为表单添加 CSRF 令牌protectForms() {const forms = document.querySelectorAll('form');forms.forEach(form => {this.addTokenToForm(form);});}// 为表单添加令牌字段addTokenToForm(form) {const token = this.getToken() || this.generateToken();// 移除已存在的令牌字段const existingField = form.querySelector(`input[name="${this.tokenName}"]`);if (existingField) {existingField.remove();}// 添加新的令牌字段const tokenField = document.createElement('input');tokenField.type = 'hidden';tokenField.name = this.tokenName;tokenField.value = token;form.appendChild(tokenField);}// 为 AJAX 请求添加令牌protectAjaxRequests() {const originalFetch = window.fetch;const self = this;window.fetch = function(url, options = {}) {// 只为非 GET 请求添加令牌if (!options.method || options.method.toLowerCase() !== 'get') {const token = self.getToken() || self.generateToken();options.headers = options.headers || {};options.headers[self.headerName] = token;}return originalFetch.call(this, url, options);};}
}// 使用示例
const csrfProtection = new CSRFProtection();// 初始化 CSRF 防护
document.addEventListener('DOMContentLoaded', () => {// 生成初始令牌csrfProtection.generateToken();// 保护所有表单csrfProtection.protectForms();// 保护 AJAX 请求csrfProtection.protectAjaxRequests();// 监听新表单的添加const observer = new MutationObserver((mutations) => {mutations.forEach((mutation) => {mutation.addedNodes.forEach((node) => {if (node.nodeType === 1) { // 元素节点const forms = node.querySelectorAll ? node.querySelectorAll('form') : [];forms.forEach(form => csrfProtection.addTokenToForm(form));}});});});observer.observe(document.body, {childList: true,subtree: true});
});

点击劫持防护

Frame Busting 和 X-Frame-Options

// 点击劫持防护
class ClickjackingProtection {constructor() {this.isFramed = window.self !== window.top;this.allowedOrigins = [];}// 检测框架嵌套detectFraming() {return this.isFramed;}// 添加允许的来源addAllowedOrigin(origin) {this.allowedOrigins.push(origin);}// 验证父框架来源validateParentOrigin() {if (!this.isFramed) return true;try {const parentOrigin = window.parent.location.origin;return this.allowedOrigins.includes(parentOrigin);} catch (error) {// 跨域访问被阻止，说明来源不可信return false;}}// Frame BustingbustFrame() {if (this.isFramed && !this.validateParentOrigin()) {// 尝试跳出框架try {window.top.location = window.self.location;} catch (error) {// 如果无法跳出，显示警告this.showFramingWarning();}}}// 显示框架警告showFramingWarning() {const warning = document.createElement('div');warning.id = 'framing-warning';warning.style.cssText = `position: fixed;top: 0;left: 0;width: 100%;height: 100%;background: rgba(255, 0, 0, 0.9);color: white;display: flex;align-items: center;justify-content: center;z-index: 999999;font-size: 24px;font-family: Arial, sans-serif;`;warning.innerHTML = `<div style="text-align: center;"><h2>安全警告</h2><p>此页面被嵌入到未授权的框架中</p><p>请直接访问原始页面以确保安全</p><button onclick="window.open('${window.location.href}', '_blank')">在新窗口中打开</button></div>`;document.body.appendChild(warning);}// 设置 X-Frame-Options 头部（需要服务器配合）setFrameOptions(option = 'DENY') {// 这需要在服务器端设置，这里只是示例const meta = document.createElement('meta');meta.httpEquiv = 'X-Frame-Options';meta.content = option; // DENY, SAMEORIGIN, ALLOW-FROM uridocument.head.appendChild(meta);}// 使用 CSP 防护setCSPFrameAncestors(sources = ["'none'"]) {const meta = document.createElement('meta');meta.httpEquiv = 'Content-Security-Policy';meta.content = `frame-ancestors ${sources.join(' ')}`;document.head.appendChild(meta);}// 监听框架状态变化monitorFrameStatus() {setInterval(() => {const currentlyFramed = window.self !== window.top;if (currentlyFramed !== this.isFramed) {this.isFramed = currentlyFramed;if (this.isFramed) {console.warn('页面被嵌入到框架中');this.bustFrame();}}}, 1000);}
}// 使用示例
const clickjackProtection = new ClickjackingProtection();// 添加允许的来源
clickjackProtection.addAllowedOrigin('https://trusted-site.com');// 启动防护
document.addEventListener('DOMContentLoaded', () => {if (clickjackProtection.detectFraming()) {clickjackProtection.bustFrame();}// 设置 CSP 框架祖先策略clickjackProtection.setCSPFrameAncestors(["'self'", 'https://trusted-site.com']);// 开始监听clickjackProtection.monitorFrameStatus();
});

数据验证与过滤

输入验证框架

// 数据验证和过滤系统
class DataValidator {constructor() {this.rules = {email: /^[^\s@]+@[^\s@]+\.[^\s@]+$/,phone: /^\+?[\d\s\-\(\)]+$/,url: /^https?:\/\/.+/,alphanumeric: /^[a-zA-Z0-9]+$/,noScript: /^(?!.*<script).*$/i};this.sanitizers = {html: this.sanitizeHtml.bind(this),sql: this.sanitizeSQL.bind(this),xss: this.sanitizeXSS.bind(this),path: this.sanitizePath.bind(this)};}// 验证单个字段validateField(value, rules) {const errors = [];for (const rule of rules) {const result = this.applyRule(value, rule);if (!result.valid) {errors.push(result.error);}}return {valid: errors.length === 0,errors: errors};}// 应用验证规则applyRule(value, rule) {switch (rule.type) {case 'required':return {valid: value !== null && value !== undefined && value !== '',error: rule.message || '此字段为必填项'};case 'minLength':return {valid: value.length >= rule.value,error: rule.message || `最少需要 ${rule.value} 个字符`};case 'maxLength':return {valid: value.length <= rule.value,error: rule.message || `最多允许 ${rule.value} 个字符`};case 'pattern':const pattern = typeof rule.value === 'string' ? this.rules[rule.value] : rule.value;return {valid: pattern.test(value),error: rule.message || '格式不正确'};case 'custom':return rule.validator(value);default:return { valid: true };}}// 验证表单数据validateForm(formData, schema) {const results = {};let isValid = true;for (const [field, rules] of Object.entries(schema)) {const value = formData[field];const result = this.validateField(value, rules);results[field] = result;if (!result.valid) {isValid = false;}}return {valid: isValid,results: results};}// HTML 清理sanitizeHtml(html) {const temp = document.createElement('div');temp.textContent = html;return temp.innerHTML;}// SQL 注入防护sanitizeSQL(input) {if (typeof input !== 'string') return input;// 移除或转义危险字符return input.replace(/'/g, "''").replace(/;/g, '\\;').replace(/--/g, '\\--').replace(/\/\*/g, '\\/*').replace(/\*\//g, '\\*/');}// XSS 清理sanitizeXSS(input) {if (typeof input !== 'string') return input;return input.replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#x27;').replace(/\//g, '&#x2F;');}// 路径遍历防护sanitizePath(path) {if (typeof path !== 'string') return path;return path.replace(/\.\./g, '').replace(/\\/g, '/').replace(/\/+/g, '/').replace(/^\//, '');}// 批量清理数据sanitizeData(data, sanitizers) {const sanitized = {};for (const [key, value] of Object.entries(data)) {if (sanitizers[key]) {sanitized[key] = this.sanitizers[sanitizers[key]](value);} else {sanitized[key] = value;}}return sanitized;}
}// 使用示例
const validator = new DataValidator();// 定义表单验证规则
const userSchema = {username: [{ type: 'required' },{ type: 'minLength', value: 3 },{ type: 'maxLength', value: 20 },{ type: 'pattern', value: 'alphanumeric' }],email: [{ type: 'required' },{ type: 'pattern', value: 'email' }],password: [{ type: 'required' },{ type: 'minLength', value: 8 },{ type: 'custom', validator: (value) => ({valid: /(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/.test(value),error: '密码必须包含大小写字母和数字'})}]
};// 验证表单数据
const formData = {username: 'john_doe',email: 'john@example.com',password: 'MyPassword123'
};const validation = validator.validateForm(formData, userSchema);
console.log('验证结果:', validation);// 数据清理
const userInput = {comment: '<script>alert("xss")</script>Hello World',filename: '../../../etc/passwd',query: "'; DROP TABLE users; --"
};const sanitized = validator.sanitizeData(userInput, {comment: 'xss',filename: 'path',query: 'sql'
});console.log('清理后的数据:', sanitized);