网络隐私

人们使用网站执行多项重要任务,例如银行业务、购物、娱乐和纳税。为此,他们需要与这些网站共享个人信息。用户对与其共享数据的网站有一定程度的信任。如果这些信息落入坏人之手,它可能会被用来剥削用户,例如对他们进行分析、向他们投放不需要的广告,甚至窃取他们的身份或金钱。

¥People use websites for several important tasks such as banking, shopping, entertainment, and paying their taxes. In doing so, they are required to share personal information with those sites. Users place a certain level of trust in the sites they share their data with. If that information fell into the wrong hands, it could be used to exploit users, for example by profiling them, targeting them with unwanted ads, or even stealing their identity or money.

现代浏览器已经拥有丰富的功能来保护用户的网络隐私,但这还不够。为了创造值得信赖和尊重隐私的体验,开发者需要教育网站用户良好的做法(并强制执行)。开发者还应该创建尽可能少地从用户那里收集数据、负责任地使用数据并安全地传输和存储数据的网站。

¥Modern browsers already have a wealth of features to protect users' privacy on the web, but that's not enough. To create a trustworthy and privacy-respecting experience, developers need to educate their site users in good practices (and enforce them). Developers should also create sites that collect as little data from users as possible, use the data responsibly, and transport and store it securely.

在这篇文章中,我们:

¥In this article, we:

  • 定义隐私和重要的相关术语。
  • 检查自动保护用户隐私的浏览器功能。
  • 了解开发者可以采取哪些措施来创建尊重隐私的 Web 内容,从而最大限度地降低第三方意外获取用户个人信息/数据的风险。

定义隐私术语和概念

¥Defining privacy terms and concepts

在我们了解可在网络上使用的各种隐私和安全功能之前,让我们先定义一些重要术语。

¥Before we look at the various privacy and security features available to use on the web, let's define some important terms.

隐私及其与安全的关系

¥Privacy and its relationship with security

谈论隐私而不谈论安全是很难的 - 它们密切相关,如果没有良好的安全性,你就无法真正创建尊重隐私的网站。因此,我们将对两者进行定义。

¥It is hard to talk about privacy without also talking about security — they are closely related, and you can't really create privacy-respecting websites without good security. Therefore, we shall define both.

  • 隐私是指赋予用户控制其数据如何被收集、存储和使用的权利,并且不被不负责任地使用的行为。例如,你应该清楚地向用户传达你正在收集哪些数据、将与谁共享数据以及如何使用这些数据。用户必须有机会同意你的数据使用条款,有权访问你存储的所有数据,如果他们不再希望你拥有这些数据,则可以将其删除。你还必须遵守你自己的条款:没有什么比以用户从未同意的方式使用和共享数据更能削弱用户信任的了。这不仅在道德上是错误的,而且在道德上也是错误的。这可能是违法的。世界上许多地方现在都有保护消费者隐私权的立法(例如欧盟的 GDPR)。
  • 安全是保护私有数据和系统免受未经授权的访问的行为。这包括公司(内部)数据以及用户和合作伙伴(外部)数据。如果你的安全性很弱并且恶意方无论如何都可以窃取他们的数据,那么即使拥有强大的隐私政策来让你的用户信任你也是没有用的。

个人和私有信息

¥Personal and private information

个人信息是描述用户的任何信息。示例包括:

¥Personal information is any information that describes a user. Examples include:

  • 主体特性,例如身高、性别表达、体重、发色或年龄
  • 邮政地址、电子邮件地址、调用号码或其他联系信息
  • 通行证号码、银行账户、信用卡、社会安全号码或其他官方标识符
  • 健康信息,例如病史、过敏或持续状况
  • 用户名和密码
  • 爱好、兴趣或其他个人喜好
  • 生物识别数据,例如指纹或面部识别数据

私有信息是用户不希望公开共享且必须保密的任何信息(即只有特定一组授权用户才能访问的信息)。一些私有数据根据法律是私有的(例如医疗数据),而另一些则更多地根据个人喜好是私有的。

¥Private information is any information that users do not want shared publicly and must be kept private (i.e., information that is accessible only by a certain group of authorized users). Some private data is private by law (for example medical data), and some is private more by personal preference.

个人身份信息

¥Personally identifiable information

继上一节之后,个人身份信息 (PII) 是可全部或部分用于追踪和/或识别特定人员的信息。例如,如果某个网站在线泄露了用户名称和邮政编码列表,那么不良行为者几乎肯定可以利用此信息找到他们的完整地址。即使没有发生全面泄露,仍然可以通过不太明显的手段来识别用户,例如他们正在使用的浏览器、他们正在使用的设备、他们安装的特定字体等等。

¥Following on from the above section, personally identifiable information (PII) is information that can be used, in whole or in part, to track down and/or identify a specific person. For example, if a site leaks a list of users' names and zip codes online, a bad actor could almost certainly use this information to find their full addresses. Even if a full-scale leak does not happen, it is still possible to identify users through less obvious means, such as the browsers they are using, the devices they are using, specific fonts they have installed, and so on.

追踪

¥Tracking

跟踪是指在许多不同网站上记录用户活动的过程。这可以通过多种方式完成,例如:

¥Tracking refers to the process of recording a user's activity across many different websites. This can be done in various ways, for example:

  • 查看嵌入第三方内容的不同网站上的多个 第三方 cookie 集,以找出有关用户的各种信息点。
  • 查看 Referer 标头以了解用户从何处导航。
  • 在入站链接的 URL 中包含参数(例如,在链接到产品页面的嵌入式广告或营销电子邮件中),这些参数可以向链接的网站揭示链接的来源、它属于哪个营销活动、点击它的用户的电子邮件地址或其他标识符等。此过程称为链接装饰,并导致链接 URL 如下所示:https://example.com/article/?id=62yhgt1a&campaign=902
  • 重定向跟踪,其中涉及跟踪器暂时(且不知不觉地)将用户重定向到他们的网站,以使用第一方存储跨网站跟踪该用户。这允许跟踪器绕过被阻止的第三方 cookie。例如,如果你阅读了产品评论并想点击购买,你可能会不知不觉地先导航到重定向跟踪器,然后再导航到零售商。这意味着跟踪器作为第一方加载,并且可以在将你转发给零售商之前将跟踪数据与他们存储在第一方 cookie 中的标识符相关联。

跟踪数据可用于构建用户及其兴趣和偏好的个人资料,这通常是不好的,并且会在不同程度上令人讨厌。例如:

¥Tracking data can be used to build a profile of a user and their interests and preferences, which is usually bad and can be annoying to various degrees. For example:

  • 定向广告:每个人都有过这样的令人不安的经历:在一台设备上研究一些要购买的商品,然后突然在所有其他设备上受到相同产品广告的轰炸。
  • 出售或共享数据:据了解,一些第三方会编译跟踪数据,然后将其出售给其他人/与其他人共享以用于各种目的,例如定向广告。这显然是非常不道德的,也可能是非法的,具体取决于它发生在世界的哪个地方。
  • 数据带来的偏见:在最坏的情况下,共享数据可能会导致用户处于不公平的不利地位。例如,想象一家保险公司发现了他们不同意分享的潜在客户的数据点,并将其用作增加保险费的理由。

指纹识别

¥Fingerprinting

与跟踪非常密切相关的一个过程是指纹识别:这具体是指通过建立存储有关他们的数据点,以将他们与其他用户区分开来。这可以是任何东西,从 cookie 内容到他们正在使用的浏览器以及他们在本地安装了哪些字体。

¥A process very closely related to tracking is fingerprinting: this specifically refers to identifying users by building up a store of data points about them that differentiate them from other users. This could be anything from cookie contents to what browser they are using and what fonts they have installed locally.

现代浏览器采取措施帮助防止基于指纹的攻击,方法是不允许访问信息,或者在必须提供信息的情况下,通过引入变体或 "noise" 来阻止其用于识别目的。

¥Modern browsers take steps to help prevent fingerprinting-based attacks by either not allowing information to be accessed or, where the information must be made available, by introducing variations or "noise" that prevent it from being used for identification purposes.

例如,如果网站向用户浏览器查询已用时间,则将该时间与服务器报告的时间进行比较可能有助于进行指纹识别。因此,浏览器通常会向计时器引入少量可变性,以使其在识别用户系统方面不太有用。

¥For example, if a website queries a user's browser for the elapsed time, a comparison of that time to the time reported by the server might be useful as a factor in fingerprinting. Because of this, browsers typically introduce a small amount of variability to timers to make them less useful for identifying the user's system.

注意:有关更多有用信息,请参阅 web.dev 上的 指纹识别

¥Note: See Fingerprinting on web.dev for additional useful information.

浏览器提供的隐私功能

¥Privacy features provided by browsers

浏览器供应商意识到保护用户隐私的必要性以及跟踪、指纹识别等对用户体验的负面影响。为此,他们实现了各种功能来增强隐私保护和/或减轻威胁。在本节中,我们将了解浏览器自动应用的不同类别的隐私保护。

¥Browser vendors are aware of the need to protect user privacy and the negative effects of tracking, fingerprinting, etc., on user experience. To this end, they have implemented various features that enhance privacy protection and/or mitigate threats. In this section, we look at different categories of privacy protection that browsers apply automatically.

默认使用 HTTPS

¥HTTPS by default

传输层安全 (TLS) 通过在网络传输过程中对数据进行加密来提供安全性和隐私性,是 HTTPS 协议背后的技术。TLS 有利于隐私,因为它可以阻止第三方拦截传输的数据并恶意使用它,例如用于跟踪。

¥Transport Layer Security (TLS) provides security and privacy by encrypting data during transport over the network and is the technology behind the HTTPS protocol. TLS is good for privacy because it stops third parties from being able to intercept transmitted data and use it maliciously, for example for tracking.

所有浏览器都默认要求使用 HTTPS;实际上已经是这样了,因为如果没有这个协议,你就无法在网络上做很多事情。

¥All browsers are moving towards requiring HTTPS by default; this is practically the case already because you can't do much on the web without this protocol.

相关主题如下:

¥Related topics are as follows:

证书透明度

用于监视和审核证书的开放标准,创建可用于帮助识别不正确或恶意证书的公共日志数据库。

HTTP 严格传输安全 (HSTS)

服务器使用 HSTS 来保护自己免受协议降级和 cookie 劫持攻击,方法是让站点告诉客户端它们只能使用 HTTPS 与服务器通信。

HTTP/2

虽然 HTTP/2 从技术上来说不必使用加密,但大多数浏览器开发者仅在与 HTTPS 一起使用时才支持它;因此,在这方面,它可以被视为增强安全/隐私的功能。

选择加入 "强大的功能"

¥Opt-in for "powerful features"

提供对潜在敏感数据和操作的访问的所谓 "powerful" Web API 功能仅在 安全上下文 中可用,这基本上意味着仅限 HTTPS。不仅如此,这些网络功能还受到用户权限系统的限制。用户必须明确选择允许通知、访问地理位置数据、使浏览器进入全屏模式、从网络摄像头访问媒体流、使用网络支付等功能。

¥So-called "powerful" web API features that provide access to potentially sensitive data and operations are available only in secure contexts, which basically means HTTPS-only. Not only that, but these web features are gated behind a system of user permissions. Users have to explicitly opt in to features like allowing notifications, accessing geolocation data, making the browser go into fullscreen mode, accessing media streams from webcams, using web payments, etc.

防跟踪技术

¥Anti-tracking technology

浏览器已经实现了多种反跟踪功能,可以自动增强用户的隐私保护。其中许多会阻止或限制 <iframe> 中嵌入的第三方网站访问顶层域上设置的 cookie、运行跟踪脚本等的能力。

¥Browsers have implemented several anti-tracking features that automatically enhance their users' privacy protection. Many of these block or limit the ability of third-party sites embedded in <iframe>s to access cookies set on the top-level domain, run tracking scripts, etc.

客户端开发者的隐私注意事项

¥Privacy considerations for client-side developers

Web 开发者可以而且应该采取多种措施来改善用户的隐私。以下部分讨论最重要的部分。有些类别本身并不是纯粹的技术任务,而是涉及与其他团队成员的协作。

¥There are several actions web developers can and should take to improve privacy for their users. The below sections discuss the most important ones. Some of the categories are not purely technical tasks as such and will involve collaboration with other team members.

以合乎道德的方式收集数据

¥Collect data ethically

公司出于各种不同的原因从用户那里收集大量不同的数据:

¥Companies collect lots of different data from their users for a variety of different reasons:

  • 用于身份验证目的的用户名、密码、电子邮件等。
  • 用于沟通的电子邮件、邮政地址和调用号码。
  • 年龄、性别、地理位置、最喜欢的消遣以及从网站个性化到客户满意度调查等各种其他 PII。
  • 在其网站和其他网站上的浏览习惯,以衡量页面和功能成功指标。
  • 还有更多。

从客户那里收集数据时,你有机会诚信行事,向他们表明你是值得信赖的,并与他们建立良好的关系,从而提高你的品牌和成功机会。

¥When collecting data from your customers, you have an opportunity to behave with integrity, show them that you are trustworthy, and build a great relationship with them, in turn, improving your brand and your chance of success.

数据收集的道德可以分为三个简单的原则:

¥The ethics of data collection can be broken down into three simple principles:

  • 不要收集超出你需要的数据
  • 清楚地传达你将如何使用你收集的数据
  • 使用完毕后删除数据

注意:下面提供的提示可提供更好、更具隐私意识的用户体验,但其中许多提示是法律要求遵守法规的,例如欧盟的 GDPR。你应该确保了解你所在地区哪些法规适用于你,以及你需要做什么才能遵守这些法规。

¥Note: The tips provided below make for a better, more privacy-aware user experience, but many of them are required by law to comply with regulations, for example the GDPR in the EU. You should make sure to find out what regulations apply to you in your locale, and what you need to do to comply with them.

不要收集超出你需要的数据

¥Don't collect more data than you need

你很容易向用户索取大量数据,因为你认为这些数据将来可能有用。然而,你收集的每一点额外数据都会增加用户隐私的风险,并增加他们放弃正在执行的步骤(无论是填写调查还是注册服务)的机会。

¥It is tempting to ask for a lot of data from your users because you think it might be useful in the future. However, every bit of extra data you collect adds risk to your users' privacy and increases the chance that they will abandon the step they are performing (whether it is filling out a survey or signing up for a service).

将数据匿名化是件好事。你还应该考虑是否可以通过降低数据请求的粒度来获得所需的内容。例如,你可以要求用户在更一般的类别之间进行选择,而不是询问用户最喜欢的产品。

¥It is good to anonymize data. You should also consider whether you can get what you need by making your data request less granular. As an example, instead of asking a user their favorite products, you could ask them to select between more general categories.

不过,保护用户隐私的最佳方法是尽量减少收集的数据。参考前面的示例,你可以通过查看用户购买历史记录来推断相同的数据。再举一个例子,用户喜欢能够匿名购买产品。你不应该强迫他们注册账户;如果服务不需要运行,则应该由他们选择。

¥The best way to protect user privacy though, is to minimize the data you collect. Referring to the previous example, you could infer the same data by looking at user purchase history. As another example, users appreciate being able to buy products anonymously. You shouldn't force them to sign up for an account; if it's not necessary for the service to operate, it should be their choice.

清楚地传达你将如何使用你收集的数据

¥Communicate clearly how you are going to use the data you collect

一旦你决定要收集哪些数据,你应该在你的网站上发布隐私政策,明确说明:

¥Once you have decided what data you are going to collect, you should publish a privacy policy on your site that clearly states:

  • 你收集的数据
  • 你使用数据的方式
  • 你倾向于与之共享数据的各方(如果有的话),以及你在共享之前将征求用户同意的声明
  • 在删除数据之前保留数据的持续时间
  • 用户可以查看你从他们那里收集的数据并在需要时删除它的方式

在向你提供数据时,你的用户应有机会阅读并同意你的隐私政策。他们应该能够控制是否对此感到满意并同意你的条款。如上所述,他们还应该看到你收集了他们的哪些数据,如果他们愿意的话,可以将其删除。

¥When providing you with data, your users should be given an opportunity to read your privacy policy, and consent to it. They should be able to control if they are happy with this and agree to your terms. And as indicated above, they should also get to see what data of theirs you have collected, and delete it if they want to.

当你发布隐私政策时,你需要确保遵守它 - 按照你所说的去做对于建立用户信任非常重要。你应该仅收集你承诺收集的数据,并且仅将其用于你承诺的用途。如果你公司的某人想出了一种巧妙的新方法来使用现有数据,但根据你的策略条款,如果没有指定你将其用于该目的,那么这仍然是不行的。如果用户同意将其数据用于特定目的,并且该目的扩大,你可能需要考虑获得新的同意。

¥When you've published your privacy policy, you need to make sure that you comply with it — doing what you say you are going to do is very important in building user trust. You should only collect the data you say you'll collect, and only use it for the purpose you say you'll use it for. If someone from your company comes up with a clever new way to use existing data, that still isn't OK under the terms of your policy if it doesn't specify that you'll use it for that purpose. If users consented to the use of their data for a specific purpose and that purpose expands, you may have to consider obtaining new consent.

使用完毕后删除数据

¥Delete the data once you have finished with it

早些时候,我们提到为用户提供一种方式来查看你收集了他们的哪些数据,并根据需要将其删除。你可以将其作为他们删除账户(他们的数据随之而来)的相同体验的一部分,或者将它们设置为两个单独的选项。无论哪种方式,选项都应该很容易找到。

¥Earlier on, we mentioned giving users a way to see what data of theirs you have collected, and delete it if they want to. You could possibly do this as part of the same experience they can use to delete their account (their data goes with it), or make them two separate options. Either way, the options should be easy to find.

允许用户选择何时删除重要部分的数据是非常授权的,并且可以建立信任,但是你可能需要自己处理某些数据的删除。例如,某些数据可能仅使用几个小时或几分钟,然后被删除,例如在用户登录时管理会话期间使用的数据。

¥Allowing the user to choose when significant portions of data get deleted is very empowering, and builds trust, but there may be some bits of data that you will want to handle deletion of yourself. For example, some data might only be used for a few hours or minutes and then deleted, like data that is used during the administration of a user's session while they are logged in.

注意:Clear-Site-Data HTTP 响应标头对于清除短期用户数据非常有用 - 它指示浏览器清除其缓存和/或 cookie 和/或存储(例如 网络存储IndexedDB 数据)。例如,你可以让服务器将其与 "注销确认" 页面一起发送,以便一旦用户注销,他们的数据就会被安全删除。

¥Note: The Clear-Site-Data HTTP response header is very useful for clearing short-lived user data — it instructs the browser to clear out its cache and/or cookies and/or storage (e.g. Web Storage or IndexedDB data). For example, you might get your server to send it along with a "logged out confirmation" page so that once the user is logged out, their data is safely removed.

减少跟踪

¥Cut down on tracking

之前我们讨论了跟踪,以及它用于的一些不道德的目的。我们不必详细说明此类用途如何削弱用户的信任;只要有可能,你应该只将 第三方 cookie 等潜在跟踪机制用于合乎道德的用途,例如跨网站传输登录或其他个性化状态。

¥Earlier on we discussed tracking, and some of the unethical purposes it is used for. We shouldn't have to spell out how such uses can erode user trust; wherever possible, you should only use potential tracking mechanisms like third-party cookies for ethical uses, such as transferring sign-in or other personalization status across sites.

还记得之前,浏览器都开始默认阻止第三方 cookie,同时实现替代技术以实现常见用例。最好为此做好准备,限制你所依赖的跟踪活动的数量,和/或以其他方式实现所需的信息持久性。请参阅 从第三方 cookie 转换 了解更多信息。

¥Also recall from earlier that browsers are all starting to block third-party cookies by default, while implementing alternative technologies to achieve common use case. It is a good idea to prepare for this, by limiting the amount of tracking activities you rely on, and/or implementing desired information persistence in other ways. See Transitioning from third-party cookies for more information.

谨慎管理第三方资源

¥Carefully manage third-party resources

当然,如果你只担心自己创建的资源(代码、cookie、网站等),那么管理隐私会很容易。真正的挑战来自于你的站点可能会使用第三方资源这一事实。这可以包括嵌入在 <iframe> 中的第三方内容、库、框架、API、外部托管的资源(如图片和视频)等。

¥Of course, it would be easy to manage privacy if you were only worried about resources you have created (code, cookies, sites, etc.). The real challenge comes from the fact that your site will likely use third-party resources. This can include third-party content embedded in <iframe>s, libraries, frameworks, APIs, externally-hosted resources such as images and videos, etc.

第三方资源是现代 Web 开发的重要组成部分,它们提供了很大的功能。但是,你允许进入你站点的任何第三方资源都可能具有与你自己的资源相同的权限;这完全取决于它如何包含在你的网站中:

¥Third-party resources are an essential part of modern web development, they provide a lot of power. However, any third-party resource you allow onto your site potentially has the same permissions as your own resources; it all depends on how it is included on your site:

  • 通过 <iframe> 嵌入到你网站中的第三方内容中运行的 JavaScript 由 同源策略 分隔,这意味着它无法访问顶层浏览上下文中包含的其他脚本和数据。
  • 但是,通过 <script> 元素直接包含在你页面中的第三方脚本将可以访问你的其他脚本和数据,无论它是托管在你的站点还是其他站点上。它实际上是第一方代码。以这种方式包含的恶意脚本可能会秘密窃取用户的数据,例如将其发送到第三方服务器。

审核你在网站上使用的所有第三方资源非常重要。请确保你知道它们收集了哪些数据、它们向谁发出了哪些请求以及它们的隐私政策是什么。如果你使用违反隐私政策的第三方脚本,你精心设计的隐私政策将毫无用处。

¥It is important to audit all of the third-party resources you use on your site. Make sure you know what data they collect, what requests they make and to whom, and what their privacy policies are. Your carefully designed privacy policy is useless if you use a third-party script that violates it.

注意:有多种工具可以帮助你了解网站正在发出的请求,例如 请求地图生成器

¥Note: There are various tools out there that can help you build up a picture of what requests a site is making, for example the Request Map Generator.

一旦你审核了第三方资源并了解他们在做什么,你就应该将其负面影响视为其带来的价值的权衡。如果第三方脚本是免费的并且确实有用,但收集了大量用户数据,你可以:

¥Once you have audited your third-party resources and understand what they are doing, you should then consider their negatives as a trade-off for the value they bring. If a third-party script is free and really useful but collects quite a lot of user data, you could:

  1. 接受这种权衡,更新你的隐私政策以包含其详细信息,并希望它不会对用户的信任产生太大影响。
  2. 寻找替代的、数据量较少的第三方工具。
  3. 构建你自己的工具。

以下列表提供了一些有关如何减轻使用第三方资源所固有的隐私风险的提示:

¥The following list provides some tips on how to mitigate privacy risks inherent with using third-party resources:

  • 嵌入第三方资源时,请考虑是否有办法实现相同或类似的效果,同时减少对隐私的影响。例如,在你的网站上嵌入社交媒体帖子查看器可能会很有趣,但这真的有必要吗?指向你的社交媒体页面的链接还不够吗?此外,一些第三方服务具有隐私增强选项。例如,请参阅 YouTube 的 嵌入视频和播放列表 > 打开隐私增强模式
  • 如果可能,你应该在向第三方发出请求时阻止第三方接收 Referer 标头。这可以以非常精细的方式完成,例如通过在外部链接中包含 相对="noreferrer"。或者,你可以为页面或网站更全局地设置它,例如使用 Referrer-Policy 标头。

    注意:另见 引用头:隐私和安全问题

    ¥Note: See also Referer header: privacy and security concerns.

  • 使用 Permissions-Policy HTTP 标头来控制对 API "强大的功能" 的访问(例如通知、地理位置数据、从网络摄像头访问媒体流等)。这对于隐私很有用,因为它可以阻止第三方网站利用这些功能执行意外操作,并且用户不希望不必要地被他们可能不理解的权限提示轰炸。你还可以通过在 <iframe> 本身的 allow 属性内指定权限策略来控制嵌入在 <iframe> 元素内的第三方网站内 "强大的功能" 的使用。

    注意:另请参阅我们的 权限-策略指南 以获取更多信息和示例,以及 permissionspolicy.com 以获取有用的工具(包括策略生成器)。

    ¥Note: See also our Permissions-Policy guide for more information and examples, and permissionspolicy.com for useful tools including a policy generator.

  • 使用 <iframe> sandbox 属性允许或禁止使用 <iframe> 中嵌入内容中的某些功能 - 包括下载、表单提交、模式和脚本等。

注意:有关审核等的其他有用信息,请参阅 web.dev 上的 第三方

¥Note: See Third parties over on web.dev for additional useful information on auditing and more.

保护用户数据

¥Protect user data

你需要确保在收集用户数据后安全地传输和存储数据。这更像是 security 主题,但值得在此提及 - 如果你的安全性松懈并且攻击者可以窃取你的数据,那么良好的隐私政策也是无用的。

¥You need to make sure that user data is transmitted and stored securely once you've collected it. This is more of a security topic, but it is worth mentioning here — a good privacy policy is useless if your security is lax and attackers can steal the data from you.

以下提示提供了有关保护用户数据的一些指导:

¥The below tips offer some guidance on protecting your user's data:

  • 安全很难做好。实现涉及数据收集的安全解决方案时(尤其是敏感数据,例如登录凭据),使用来自知名提供商的知名解决方案是有意义的。例如,任何受人尊敬的服务器端框架都将具有内置功能来防止常见漏洞。你还可以考虑使用专门的产品来实现你的目的,例如身份提供商解决方案或安全的在线调查提供商。
  • 如果你想推出自己的收集用户数据的解决方案,请确保你了解自己在做什么。聘请经验丰富的服务器端开发者和/或安全工程师来实现系统,并确保对其进行彻底的测试。使用多重身份验证 (MFA) 提供更好的保护。考虑使用专用 API(例如 网页认证联合凭证管理)来简化应用的客户端。
  • 收集用户注册信息时,请强制使用强密码,以免用户的账户详细信息被轻易猜到。弱密码是安全漏洞的主要原因之一。鼓励你的用户使用密码管理器来生成和存储复杂的密码;这样他们就不必担心记住它们,也不必担心写下来会造成安全风险。
  • 不要在 URL 中包含敏感数据 - 如果第三方拦截 URL(例如通过 Referer 标头),他们可能会窃取该信息。使用 POST 请求而不是 GET 请求可以避免这种情况。
  • 考虑使用 内容安全政策权限策略 等工具在你的站点上强制使用一组功能,从而更难引入漏洞。执行此操作时要小心 - 如果你阻止第三方脚本依赖其工作的功能的使用,最终可能会破坏你网站的功能。这是你在审核第三方资源时可以查看的内容(请参阅 谨慎管理第三方资源)。

也可以看看

¥See also