Platform functions-application security settings
1. Product Introduction
Applications can obtain and operate user, product, order and other data by calling the API provided by TOP through user authorization. In order to prevent these data leaks and malicious tampering, TOP provides guaranteed applications A range of secure services. These services include: sensitive operation protection, IP whitelist setting, server host on Wanwang, black box vulnerability scanning, setting the number of authorized users, API call monitoring and user authorization monitoring. Construct an application security index based on the data collected by these services to uniformly measure the application's security status.
2. Product details
1. Service details
| Serial number | Service name | Service Introduction | Details | Entrance | ||||||||||||||||||||||||||||
| 1 | Sensitive Operation Protection | To protect open platform operations, secondary verification is required when viewing or resetting Secrets, modifying callback URLs, and deleting applications. | Click here to view details | Developer Center->Security Center->Sensitive Operation Protection, as shown below:
| ||||||||||||||||||||||||||||
| Set IP whitelist | For developers to set the IP whitelist of the server. After setting, the AppKey only allows server IPs within the IP whitelist range to call the API, and non-whitelisted IPs cannot call the API. For example, even if the AppKey and Secret are stolen, if the API call request is not initiated from your server IP, it will be rejected by TOP. The error message is as follows: <code>11</code><msg>Insufficient isv permissions</msg><sub_code>isv.permission-ip-whitelist-limit</sub_code><sub_msg>The appkey 123456789 is only allowed to call from *.*. *.*, but your ip is #.#.#.#</sub_msg></error_response>
| Click here to view the IP whitelist list | 1. Developer Center->Security Center->IP whitelist settings, as shown below:
2. Developer Center-> The left side of the application page, as shown below:
| |||||||||||||||||||||||||||||
| Server host in Wanwang | China Wanwang provides exclusive customized cloud hosts for Taobao open platform ISV users, using the same computer room environment and lines as Taobao, and Taobao's Intranet interconnection complies with Taobao's security requirements for hosts by default. By hosting the server on Wanwang, the security of the server is guaranteed. | Click here to view details | Developer Center->The left side of the application page, as shown below:
| |||||||||||||||||||||||||||||
| Black box vulnerability scanning | Through TOP active monitoring, we help ISVs discover application defects and improve application quality. | Click here to view details | Developer Center->Monitoring Center->Defect List, as shown below: |
| ##5||||||||||||||||||||||||||||
| The application faces different numbers of user groups, and the corresponding security levels will be different. | Developer Center-> The left side of the application page, as shown below: |
| ||||||||||||||||||||||||||||||
| According to the security measures taken by the application, the scope of access when the application calls the API is determined to be different. | System monitoring | None | 7 | |||||||||||||||||||||||||||||
| The number of authorized users of the application suddenly increases Monitor increases and decreases | System monitoring | None |
2. View the application security index1. Manage certificate page Click "Application Management" - "Manage Certificate"
2. Security service page Click "Security Center" - "Application Health Index"
Among them: 1.TAE currently only provides services to stores Module application is open. ##2. The IP whitelist is set in:Developer Center->Security Center-> IP whitelist setting3. Using user SDK means: a. B/SThe application needs to add the user SDK to each page used by the user (recommended is the public page header) to verify the user's usage behavior. If not used This user SDK will be regarded as an application without user operation by the platform. User SDK is as follows:##<script type="text/javascript" src="http://a.tbcdn.cn/apps/isvportal/securesdk/securesdk.js" id="J_secure_sdk_script" data-appkey="xxxxxxx"></script> (replace xxxxxx with your own appkey) b.C/S applications are not affected for the time being. See:Developer Center->Monitoring Center->Defect List ##Application label Default rules when created Before the publishing service is reviewed and passed After the publishing service is reviewed and passed ##Taobao website Only for your own use Can only be used by yourself, you cannot choose a small group and everyone to use Only for your own use ##Wireless Buyer Application A small number of people use You can choose to use it by yourself and a small number of people, but you cannot choose to use it by everyone Three ranges are available #Buyer Application A small number of people use You can choose to use it by yourself and a small number of people, but you cannot choose to use it by everyone Three ranges are available #Online ordering application A small number of people use You can choose to use it by yourself and a small number of people, but you cannot choose to use it by everyone Three ranges can be selected #Store module application A small number of people use You can choose to use it by yourself and a small number of people, but you cannot choose to use it by everyone Three ranges are available #Merchant backend system Used by a small number of people (5 people) You can choose to use it by yourself and a small number of people, but you cannot choose to use it by everyone Cannot be selected for use by everyone For related information about security level, please refer to the document://open.taobao.com/doc/detail.htm?id=1002#s2 4. Security specifications //open.taobao.com/doc/detail.htm?spm=a219a.7386797.0.0.bBwnPn&id=813 FAQ |
