内部应用程序接口安全指南

为开发团队提供安全检查表、代码审查视角和策略模板。

📋 开发前核对表

开发新 API 端点前需要验证的项目。

  • 创建了应用程序接口规范(OpenAPI)
  • 已确定身份验证和授权方法
  • 已定义输入参数类型和约束条件
  • 明确界定了答复中应包括的字段
  • 错误响应格式标准化
  • 已确定限速要求
  • 个人和敏感数据的处理已得到确认
  • 已确定身份验证方法(OAuth 2.0、JWT、API Key)
  • 已为每个端点定义所需的权限(作用域/角色
  • 设计了资源级授权检查(BOLA 对策)
  • 管理功能明确分开
  • 令牌过期和刷新方法已确定
  • 通信使用 TLS 1.2 或更高版本
  • 已确定存储数据的加密方法
  • 已确定个人信息的屏蔽和匿名政策
  • 日志中不包含敏感信息(令牌、密码
  • 调试信息和堆栈跟踪不包含在 API 响应中

👀 代码审查视角

在 API 代码审查期间要检查的安全问题。

检查项目重要性说明
身份验证中间件应用于所有端点需要确保除公共应用程序接口外,不会缺少任何身份验证检查
存在对象级授权检查需要验证请求的资源是否属于请求用户
管理功能具有角色验证功能需要确保普通用户无法调用管理员 API
在 JWT 验证过程中指定算法需要预防算法:无攻击
令牌过期已正确配置推荐访问令牌:15 分钟内
检查项目重要性说明
请求正文已进行模式验证需要类型、长度和格式的验证
SQL 查询参数化需要确保不使用字符串连接创建查询
存在路径参数格式验证需要检查预期格式,如 UUID
分页参数有上限推荐防止 limit=999999 等过度请求
上传文件有类型和大小限制推荐验证内容类型和文件大小
检查项目重要性说明
回复不包含不必要的字段需要防止泄漏密码哈希值、内部 ID 等。
错误响应不包含堆栈跟踪需要不要在生产中暴露内部信息
配置了安全标头推荐X-Content-Type-Options、HSTS 等。
内容类型已正确设置推荐明确指定应用程序/json
检查项目重要性说明
应用速率限制需要尤其是身份验证和支付终端
记录适当的日志推荐可追溯:谁在何时做了什么
秘密不是硬编码需要使用环境变量或秘密管理器
CORS 设置适当推荐避免使用通配符
依赖项没有已知漏洞推荐检查 npm 审核/Snyk 的结果

📜 安全策略模板

用于内部 API 开发的基本政策模板。根据您的项目进行定制。

1.身份验证政策

Policy模板
认证方法
  - 面向用户的应用程序接口:OAuth 2.0(授权码 + PKCE)
  - 服务器到服务器 API:OAuth 2.0(客户端凭证)或 mTLS
  - 外部集成 API:API 密钥 + HMAC 签名

令牌管理
  - 访问令牌过期:15 分钟
  - 刷新令牌有效期:7 天(需要轮换)
  - 令牌存储:仅 HttpOnly + 安全 + SameSite Cookie

密码政策
  - 至少 12 个字符,至少一个大写字母、一个小写字母、一个数字和一个符号
  - 使用 bcrypt 进行散列(成本系数 12 或更高)
  - 密码列表攻击保护(与 Have I Been Pwned API 集成)

2.应用程序接口设计政策

Policy模板
版本管理
  - 通过 URL 路径进行版本管理:/api/v1/resources
  - 旧版本至少 6 个月的支持期
  - 通过 Deprecation 标头通知版本更新

速率限制(默认值)
  - 一般 API:100 个请求/15 分钟
  - 认证 API:5 个请求/15 分钟
  - 公共 API:30 个请求/分钟
  - 始终返回 RateLimit-* 标头

响应
  - 内容类型:application/json(固定格式)
  - 错误响应采用 RFC 7807(问题详情)格式
  - 在生产中从不返回堆栈跟踪
  - 分页:默认 20 项,最多 100 项

3.日志和审计政策

Policy模板
必填日志字段
  - 时间戳(ISO 8601,UTC)
  - 请求 ID(UUID,用于追踪)
  - 用户 ID / API 客户端 ID
  - HTTP 方法 + 端点
  - 状态代码
  - 源 IP
  - 响应时间

禁止日志字段(敏感数据)
  - 密码/令牌/API 密钥
  - 信用卡号
  - 完整显示 PII(需要屏蔽)

监控警报
  - 认证失败:每分钟 5 次以上时发出警报
  - 403 错误:每分钟 10 次以上时发出警报
  - 500 错误:发生 1 次立即发出警报
  - 超过速率限制:模式分析

🚨 事件响应流程

第 1 阶段:检测

通过监控警报、用户报告或外部通知检测事件。通过初步分流确定严重程度。

0-30 分钟

第 2 阶段:遏制

防止破坏升级。使 API 密钥失效,暂时中止受影响的端点,并确定影响范围。

30 分钟 - 2 小时

第 3 阶段:根除和恢复

修复漏洞、应用补丁并恢复服务。通知受影响的用户。

2-24 小时

第 4 阶段:事故后分析

进行事后分析。进行根本原因分析,制定防止再次发生的措施,并将结果记录在案。

1-5 个工作日

🤖 AI / LLM Security Checklist

Additional checklist items for systems integrating AI models and LLM-powered features.

  • Model provider has been evaluated for security and compliance (SOC 2, data processing agreement)
  • System prompts are stored securely and not exposed to end users
  • Token budget and cost limits are configured per request and per user
  • Data classification policy defines what data can be sent to external LLM APIs
  • LLM outputs are validated and sanitized before rendering or downstream processing
  • Fallback behavior is defined for model unavailability or degraded responses
  • Model version pinning strategy is documented to prevent unexpected behavior changes
OWASP References

Related: LLM06: Excessive Agency, LLM02: Insecure Output Handling

  • Agent permissions follow least privilege principle — only necessary tools and APIs are accessible
  • Tool/function calling uses an explicit allowlist (not a denylist)
  • Human-in-the-loop approval is required for high-impact actions (payments, deletions, external communications)
  • Agent memory scope is bounded — conversation history does not leak across tenants or sessions
  • Inter-agent communication is authenticated and uses signed messages
  • Goal drift detection is implemented — agents are monitored for deviation from intended objectives
  • Emergency kill switch exists to halt agent execution immediately
OWASP References

Related: ASI01: Excessive Agency, ASI03: Insecure Tool/Function Calling, ASI09: Inadequate Sandboxing

  • Training data provenance is documented with lineage tracking
  • Data integrity checks exist for training and fine-tuning datasets (hash verification)
  • Model artifacts are versioned and stored in a tamper-proof registry
  • Model drift monitoring is in place to detect performance degradation
  • Third-party models and embeddings have been evaluated for known vulnerabilities
  • PII and sensitive data scrubbing is applied to training datasets
OWASP References

Related: LLM03: Training Data Poisoning, ML02: Data Poisoning Attack, ML06: AI Supply Chain Attacks

🧐 AI / LLM Code Review Perspectives

Security check items specific to code that integrates LLMs, AI agents, and ML models.

检查项目重要性说明
System prompts are not exposed in client-side code or API responses需要Prompt leakage enables targeted prompt injection attacks
LLM outputs are validated before rendering (HTML/JS/SQL)需要LLM-generated content may contain XSS payloads or injection vectors
User input and system instructions are clearly separated in prompts需要Prevents direct prompt injection by maintaining instruction-data boundary
Tool/function call permissions are scoped per user role需要Prevent privilege escalation through agent tool access
Token count limits are enforced per request and per session推荐Prevents cost explosion and denial-of-wallet attacks
RAG retrieval results are sanitized before insertion into prompts需要Retrieved documents may contain indirect prompt injection payloads
Agent actions and tool calls are logged with full audit trail推荐Essential for incident investigation and compliance in AI systems

📑 AI / LLM Security Policy Templates

Policy templates for organizations deploying AI models and LLM-powered applications.

4. AI Model Access Control Policy

Policy模板
■ Model Access Tiers
  - Tier 1 (Restricted): GPT-4 class / fine-tuned models — requires team lead approval
  - Tier 2 (Standard): GPT-3.5 class / embeddings — available to all developers
  - Tier 3 (Open): Open-source models (local inference) — no approval required

■ API Key Management for LLM Providers
  - One API key per service/environment (never share across projects)
  - Monthly spend alerts at 50%, 80%, 100% of budget
  - Hard spending caps enforced at the provider level
  - Key rotation: every 90 days or immediately upon team member departure

■ Data Sent to External Models
  - NEVER send: PII, credentials, internal IP, source code, customer data
  - ALLOWED with review: anonymized logs, public documentation, synthetic data
  - All prompts to external APIs must be logged (excluding PII)

5. AI Data Handling Policy

Policy模板
■ Training Data Requirements
  - All training data must have documented provenance and licensing
  - PII must be removed or anonymized before use in training/fine-tuning
  - Data poisoning checks: validate data integrity with hash verification
  - Retain training data snapshots for reproducibility and audit

■ RAG (Retrieval-Augmented Generation) Data
  - Document ingestion pipeline must sanitize content (strip scripts, injections)
  - Access control on vector store must mirror source document permissions
  - Embedding models must be versioned and pinned

■ Model Output Data
  - LLM outputs must not be trusted as authoritative — always verify facts
  - Generated code must pass the same security review as human-written code
  - Outputs containing PII must be flagged and redacted before storage

6. AI Incident Classification Policy

Policy模板
■ Severity Levels for AI-Specific Incidents
  - P1 (Critical): Prompt injection leading to data exfiltration or unauthorized actions
  - P1 (Critical): Model serving compromised or returning manipulated outputs
  - P2 (High): Training data poisoning detected, jailbreak bypass discovered
  - P2 (High): Agent performing unintended actions outside approved scope
  - P3 (Medium): Model drift causing degraded accuracy below threshold
  - P4 (Low): Cost overrun due to excessive token usage

■ Response Procedures
  - P1: Immediately disable affected model endpoint, notify security team
  - P2: Quarantine affected model version, roll back to last known good
  - P3: Trigger retraining pipeline, increase monitoring frequency
  - P4: Adjust rate limits and budget caps, review usage patterns

■ Post-Incident Requirements
  - Root cause analysis within 48 hours for P1/P2
  - Update prompt injection test suite with new attack vectors
  - Review and update guardrails configuration

快速参考:HTTP 状态代码

应用程序接口设计中使用的与安全相关的 HTTP 状态代码。

代码意义使用案例
400Bad Request输入验证错误
401Unauthorized需要验证或令牌无效
403Forbidden已验证但权限不足
404Not Found资源不存在(也可用于替代 403)
405Method Not Allowed不允许使用 HTTP 方法
413Payload Too Large超出请求机身尺寸
422Unprocessable Entity语法正确,但语义错误
429Too Many Requests超出速率限制
500Internal Server Error内部服务器错误(隐藏详情)