数据库安全防护措施
数据库安全防护措施
数据库安全是系统开发中不可忽视的关键环节。Koa2作为Node.js的轻量级框架,在构建后端服务时需结合多种策略确保数据安全。从基础的身份验证到复杂的加密机制,每个环节都需要针对性设计。
身份验证与授权
身份验证是数据库安全的第一道防线。JWT(JSON Web Token)在Koa2中实现较为常见:
const jwt = require('jsonwebtoken');
const koaJwt = require('koa-jwt');
app.use(koaJwt({
secret: 'your_secret_key',
algorithms: ['HS256']
}).unless({
path: [/^\/public/]
}));
基于角色的访问控制(RBAC)模型可细化权限管理:
// 中间件检查用户角色
const checkRole = (role) => async (ctx, next) => {
if (ctx.state.user.role !== role) {
ctx.throw(403, 'Forbidden');
}
await next();
};
// 路由中使用
router.get('/admin', checkRole('admin'), async (ctx) => {
// 管理员专属逻辑
});
数据加密存储
敏感数据必须加密存储,以下是使用bcrypt加密密码的示例:
const bcrypt = require('bcrypt');
const saltRounds = 12;
// 密码哈希处理
const hashPassword = async (plainText) => {
return await bcrypt.hash(plainText, saltRounds);
};
// 密码验证
const comparePassword = async (plainText, hash) => {
return await bcrypt.compare(plainText, hash);
};
对于信用卡号等敏感信息,建议使用AES-256加密:
const crypto = require('crypto');
const algorithm = 'aes-256-cbc';
const key = crypto.randomBytes(32);
const iv = crypto.randomBytes(16);
function encrypt(text) {
let cipher = crypto.createCipheriv(algorithm, key, iv);
let encrypted = cipher.update(text);
encrypted = Buffer.concat([encrypted, cipher.final()]);
return iv.toString('hex') + ':' + encrypted.toString('hex');
}
SQL注入防护
Koa2中应始终使用参数化查询,以下是使用knex.js的示例:
const knex = require('knex')({
client: 'mysql',
connection: { /* 配置 */ }
});
// 安全查询
router.get('/users', async (ctx) => {
const userId = ctx.query.id;
const users = await knex('users')
.where('id', userId) // 参数化处理
.select('*');
ctx.body = users;
});
输入验证同样重要,使用joi库进行模式验证:
const Joi = require('joi');
const userSchema = Joi.object({
username: Joi.string().alphanum().min(3).max(30).required(),
password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{8,30}$')),
email: Joi.string().email()
});
router.post('/users', async (ctx) => {
const { error } = userSchema.validate(ctx.request.body);
if (error) throw new Error(error.details[0].message);
// 继续处理
});
审计日志记录
完整的审计日志应包含操作上下文:
const fs = require('fs');
const path = require('path');
app.use(async (ctx, next) => {
const start = Date.now();
await next();
const latency = Date.now() - start;
const logEntry = {
timestamp: new Date(),
method: ctx.method,
path: ctx.path,
status: ctx.status,
latency: `${latency}ms`,
user: ctx.state.user?.id || 'anonymous',
ip: ctx.ip
};
const logPath = path.join(__dirname, 'audit.log');
fs.appendFileSync(logPath, JSON.stringify(logEntry) + '\n');
});
数据库连接安全
使用SSL加密数据库连接:
const knex = require('knex')({
client: 'pg',
connection: {
host: 'db.example.com',
user: 'user',
password: 'password',
database: 'mydb',
ssl: {
rejectUnauthorized: true,
ca: fs.readFileSync('/path/to/server-ca.pem'),
key: fs.readFileSync('/path/to/client-key.pem'),
cert: fs.readFileSync('/path/to/client-cert.pem')
}
}
});
连接池配置可防止资源耗尽:
{
pool: {
min: 2,
max: 10,
acquireTimeoutMillis: 30000,
idleTimeoutMillis: 30000
}
}
定期备份策略
实现自动化备份脚本:
const { exec } = require('child_process');
const cron = require('node-cron');
// 每天凌晨备份
cron.schedule('0 0 * * *', () => {
const backupCmd = `mysqldump -u ${user} -p${pass} ${db} > backup_${Date.now()}.sql`;
exec(backupCmd, (error) => {
if (error) console.error('备份失败:', error);
else console.log('备份成功');
});
});
敏感数据脱敏
API响应中隐藏敏感字段:
const maskFields = (obj, fields) => {
const masked = { ...obj };
fields.forEach(field => {
if (masked[field]) {
masked[field] = '******';
}
});
return masked;
};
router.get('/user/:id', async (ctx) => {
const user = await User.findById(ctx.params.id);
ctx.body = maskFields(user, ['password', 'ssn', 'creditCard']);
});
安全头部设置
Koa2中增强HTTP安全头部:
const helmet = require('koa-helmet');
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", 'cdn.example.com'],
styleSrc: ["'self'", "'unsafe-inline'"]
}
},
hsts: { maxAge: 31536000, includeSubDomains: true },
referrerPolicy: { policy: 'same-origin' }
}));
速率限制
防止暴力破解攻击:
const rateLimit = require('koa2-ratelimit');
const limiter = rateLimit.middleware({
interval: { min: 1 },
max: 100,
message: '请求过于频繁,请稍后再试',
prefixKey: ctx => ctx.ip + ctx.path // 按IP和路径区分
});
app.use(limiter);
环境变量管理
敏感配置应通过环境变量传递:
const dotenv = require('dotenv');
dotenv.config();
// 使用示例
const dbConfig = {
host: process.env.DB_HOST,
user: process.env.DB_USER,
password: process.env.DB_PASS
};
数据库防火墙规则
云数据库配置示例(AWS RDS):
// 安全组规则只允许特定IP访问
const aws = require('aws-sdk');
const rds = new aws.RDS();
const params = {
DBSecurityGroupName: 'my-db-sg',
CIDRIP: '203.0.113.12/32' // 只允许此IP访问
};
rds.authorizeDBSecurityGroupIngress(params, (err) => {
if (err) console.error(err);
});
定期安全扫描
集成漏洞扫描工具:
// 在CI/CD管道中添加安全检查
const { execSync } = require('child_process');
try {
console.log('Running security scan...');
execSync('npm audit --production');
execSync('npx snyk test');
} catch (error) {
console.error('安全扫描发现问题:');
process.exit(1);
}
数据最小化原则
GraphQL中实现字段级权限:
const { ApolloServer } = require('apollo-server-koa');
const server = new ApolloServer({
typeDefs,
resolvers,
context: ({ ctx }) => ({
user: ctx.state.user
}),
fieldResolver: (source, args, context, info) => {
if (info.parentType.name === 'User' &&
info.fieldName === 'email' &&
!context.user.isAdmin) {
return null; // 非管理员隐藏email字段
}
return source[info.fieldName];
}
});
零信任架构实施
持续验证的中间件示例:
const reauthMiddleware = async (ctx, next) => {
const sessionAge = Date.now() - ctx.session.lastVerified;
if (sessionAge > 30 * 60 * 1000) { // 30分钟重新验证
ctx.throw(401, '需要重新验证身份');
}
await next();
};
app.use(reauthMiddleware);
本站部分内容来自互联网,一切版权均归源网站或源作者所有。
如果侵犯了你的权益,请来信告知我们删除。邮箱:cc@cccx.cn
上一篇:数据库性能监控与调优
下一篇:多数据库混合使用策略
