Platform functions-application security settings
1. Product Introduction
Applications can obtain and operate user, product, order and other data by calling the API provided by TOP through user authorization. In order to prevent these data leaks and malicious tampering, TOP provides guaranteed applications A range of secure services. These services include: sensitive operation protection, IP whitelist setting, server host on Wanwang, black box vulnerability scanning, setting the number of authorized users, API call monitoring and user authorization monitoring. Construct an application security index based on the data collected by these services to uniformly measure the application's security status.
2. Product details
1. Service details
##2Set IP whitelist#3Server host in WanwangChina Wanwang provides exclusive customized cloud hosts for Taobao open platform ISV users, using the same computer room environment and lines as Taobao, and Taobao's Intranet interconnection complies with Taobao's security requirements for hosts by default. By hosting the server on Wanwang, the security of the server is guaranteed. Click here to view details##4Developer Center->Monitoring Center->Defect List, as shown below:##5Set the number of authorized usersThe application faces different numbers of user groups, and the corresponding security levels will be different. API call monitoringUser authorization monitoring| Serial number | Service name | Service Introduction | Details | Entrance | ||||||||||||||||||||||||||||
| 1 | Sensitive Operation Protection | To protect open platform operations, secondary verification is required when viewing or resetting Secrets, modifying callback URLs, and deleting applications. | Click here to view details | Developer Center->Security Center->Sensitive Operation Protection, as shown below:
| ||||||||||||||||||||||||||||
| For developers to set the IP whitelist of the server. After setting, the AppKey only allows server IPs within the IP whitelist range to call the API, and non-whitelisted IPs cannot call the API. For example, even if the AppKey and Secret are stolen, if the API call request is not initiated from your server IP, it will be rejected by TOP. The error message is as follows: <code>11</code><msg>Insufficient isv permissions</msg><sub_code>isv.permission-ip-whitelist-limit</sub_code><sub_msg>The appkey 123456789 is only allowed to call from *.*. *.*, but your ip is #.#.#.#</sub_msg></error_response>
| Click here to view the IP whitelist list | 1. Developer Center->Security Center->IP whitelist settings, as shown below:
2. Developer Center-> The left side of the application page, as shown below:
| ||||||||||||||||||||||||||||||
| Developer Center->The left side of the application page, as shown below:
| ||||||||||||||||||||||||||||||||
| Black box vulnerability scanning | Through TOP active monitoring, we help ISVs discover application defects and improve application quality. | Click here to view details |
| |||||||||||||||||||||||||||||
| Developer Center-> The left side of the application page, as shown below: |
| |||||||||||||||||||||||||||||||
| According to the security measures taken by the application, the scope of access when the application calls the API is determined to be different. | System monitoring | None | 7 | |||||||||||||||||||||||||||||
| The number of authorized users of the application suddenly increases Monitor increases and decreases | System monitoring | None |
2. View the application security index1. Manage certificate page Click "Application Management" - "Manage Certificate"
2. Security service page Click "Security Center" - "Application Health Index"
Among them: 1.TAE currently only provides services to stores Module application is open. ##2. The IP whitelist is set in:Developer Center->Security Center-> IP whitelist setting3. Using user SDK means: a. B/SThe application needs to add the user SDK to each page used by the user (recommended is the public page header) to verify the user's usage behavior. If not used This user SDK will be regarded as an application without user operation by the platform. User SDK is as follows:##<script type="text/javascript" src="http://a.tbcdn.cn/apps/isvportal/securesdk/securesdk.js" id="J_secure_sdk_script" data-appkey="xxxxxxx"></script> (replace xxxxxx with your own appkey) b.C/S applications are not affected for the time being. 4. Security VulnerabilitiesSee:Developer Center->Monitoring Center->Defect List
For related information about security level, please refer to the document://open.taobao.com/doc/detail.htm?id=1002#s2 4. Security specifications In order to ensure that the open platform Regarding application security, we have formulated detailed application security specifications and require all third-party applications that access the Taobao open platform to strictly abide by them. For specific security specifications, please refer to the document://open.taobao.com/doc/detail.htm?spm=a219a.7386797.0.0.bBwnPn&id=813 FAQ There is no FAQ about this document |
