Authentication and Authorization

If your app requires access to sensitive data or performs potentially dangerous actions, you can consider implementing your own authentication and authorization schemes. Consult your network security group for advice.

不要打电话eval()

The MATLAB^®eval()功能将文本字符串变成命令。此功能强大的功能允许用户执行任意MATLAB代码。此代码反过来又可以执行任何已安装的程序，该程序可用于低特权用户，也可以访问低特权用户可以访问的任何文件或数据。为Web部署和访问创建的应用程序不得包含呼叫eval()。看替代eval函数for ways to eliminateeval()从您的Web应用程序代码。依靠输入消毒可以帮助减轻任何间接电话的风险eval()。看Sanitize User Input(MATLAB Web App Server)。

Limit Free-Text User Input

Use menus, sliders, dials, and buttons instead of editable text fields in your app user interface. In addition to providing a better user experience, this practice limits the types of input users can provide, and the risks such inputs might introduce.

Sanitize User Input

To a security expert, user supplied data is considered untrusted because user input is a common attack vector for hackers. If your app must accept free-text input, the app must carefully examine the input for potential code injection attacks—text that contains special characters that coerce the app to interpret the input as commands rather than data.

In MATLAB, code injection attacks are most likely to be directed against XML, JSON, SQL, and other similar types of structured input. If your app accepts structured input, consult your IT or security group for suggestions on how to sanitize that input. It is never a good idea to allow the user to directly enter any type of code (such as MATLAB, Java^®, or JavaScript^®) for immediate evaluation.

Sanitize Data Read from Files

Reading data from files exposes the app to the same types of risk as collecting interactive user input. The same countermeasures apply. Also, you can protect read-only data files from tampering by a cryptographically secure hashing algorithm to digitally fingerprint files.

Minimize File System Write Operations

限制您的应用程序仅阅读访问会大大降低与应用程序相关的潜在风险。如果您必须写入文件系统，请记住，如果多个用户同时访问该服务器，则服务器同时运行应用程序的多个副本。您必须通过使用运行时生成的唯一文件名或使用通常可以同时处理多个同时访问的数据库来管理同时进行写入。如果未正确管理同时写入，则可能发生数据损坏。

Verify Trustworthiness of Third-Party Code

If your app includes MATLAB files, shared libraries, Java classes, or any other type of code developed by a third party, you must make sure that code is free of viruses, worms, Trojan horses, and other web-based attack and infiltration vectors. You can discuss this issue with the author of the code and your IT and security staff. In the case of binaries or Java classes, consider running a virus scanner or other security software on the code before including it in your deployed app.

Reduce Exposure Level

One way to reduce exposure is to limit the time that the app is running to only those times when it is needed. For example, do not run it continuously from your desktop.