全站字段严格总表(Web版)
支持模块筛选、关键词筛选、一键复制 curl,便于现场逐字段验收。
| 模块 | 字段(中文) | 参数/路径 | 观测接口 | 预期结果 | 失败判定 | 验证命令 |
|---|---|---|---|---|---|---|
| 网站与回源 | URL跳转 | /redirect/301|302|307|308 |
/redirect/* |
返回对应 30x + Location | 状态码或 Location 不符 |
curl -sI __BASE__/redirect/302
|
| 网站与回源 | 路由规则 | /api/v1/* /api/v2/* /api/regexp/* |
/api/v1/hello |
命中预期路由 | path/params 不符 |
curl -s __BASE__/api/v1/hello
|
| 网站与回源 | 重写规则 | /rewrite/source -> /rewrite/target |
/rewrite/target/demo |
matched=true | source 未改写到 target |
curl -s __BASE__/rewrite/source/demo?keep=1
|
| 安全访问 | WAF 规则字段 | enabled,humanVerifyMethod,enableSystemGlobalRules,conditionParam,conditionOperator,conditionValue,actionType |
/waf/admin/status /waf/probe /waf/sql /waf/xss |
字段与 matched/action/status 一致 | 字段不生效或判定错误 |
curl -s "__BASE__/waf/probe" | jq
|
| 安全访问 | WAF 入站-JSON/Form 参数探针 | requestJSON/requestForm + has key/contains |
/api/data |
命中恶意键名时 403,正常请求 200 | 命中条件不触发或误拦截 |
curl -s -X POST "__BASE__/api/data" -H "Content-Type: application/json" --data '{"__proto__":{"admin":true}}'
|
| 安全访问 | WAF 入站-上传文件名探针 | requestUpload + suffix |
/api/upload |
危险扩展名可被拦截,正常文件放行 | 上传规则不生效 |
curl -s -X POST "__BASE__/api/upload" -F "file=@/dev/null;filename=shell.php;type=application/octet-stream"
|
| 安全访问 | 包含索引(has key)语义探针(源站对照) | target=args/json/form/headers/cookies + keyPath |
/probe/has-key |
exists=true/false 与键名/索引是否存在一致 | exists 与实际不一致 |
curl -s "__BASE__/probe/has-key?target=args&key=debug&debug=true" | jq
|
| 安全访问 | 访问鉴权 Basic | Authorization: Basic |
/auth/basic |
无凭证401,正确200 | 鉴权不生效 |
curl -s -u yuanzhan:yuanzhan __BASE__/auth/basic
|
| 安全访问 | 防盗链 | enabled/allowDirectAccess/allowSameHost/allowDomains/denyDomains/checkOriginWhenNoReferer/excludeUrlPatterns/limitUrlPatterns |
/referer/admin/status /referer/protected /referer/probe |
字段与 status/reason/statusCode 一致 | 字段不生效或判定错误 |
curl -sI -e https://evil.example/a __BASE__/referer/probe?path=/media/video.mp4
|
| 安全访问 | UA 名单 | deny/allow |
/ua/check |
命中 deny 返回 403 | 规则不生效 |
curl -sI -A curl/8.7 "__BASE__/ua/check?deny=curl,wget"
|
| 安全访问 | 访问IP限制 | deny/allow |
/ip/check |
命中 deny 返回 403 | 规则不生效 |
curl -s "__BASE__/ip/check?deny=127.0.0.1"
|
| 缓存分发 | 缓存策略 | /cache/* |
/cache/etag /cache/lastmodified |
指令与行为一致 | 缓存策略异常 |
curl -sI __BASE__/cache/etag
|
| 缓存分发 | Range/If-Range | Range |
/range/strict |
206/416 边界正确 | 状态码或 Content-Range 错误 |
curl -sI -H "Range: bytes=0-15" __BASE__/range/strict
|
| 缓存分发 | 内容压缩 | Accept-Encoding + compression.* |
/encoding/gzip-response /compression/admin/status /compression/probe |
gzip 行为与压缩策略判定一致 | 压缩策略未生效或判定错误 |
curl -sI -H "Accept-Encoding: gzip" "__BASE__/compression/probe?path=/assets/app.js&mime=application/javascript&size=4096"
|
| 缓存分发 | WebP 协商 | enabled/enableAvif/includeExts/includeMimePrefixes/minBytes/maxBytes/matchCondition |
/webp/admin/status /webp/probe /webp/vary-accept |
字段与 X-WebP-Converted/Reason/Target 一致 | 字段与判定不一致 |
curl -sI -H "Accept: image/webp,image/*" "__BASE__/webp/probe?path=/img/demo.png&mime=image/png&size=4096"
|
| 协议传输 | HTTP报头注入 | X-Real-IP/XFF |
/api/headers/forwarded-check |
present=true 且值正确 | 字段缺失或值错误 |
curl -s __BASE__/api/headers/forwarded-check
|
| 协议传输 | WebSocket | enabled/allowAllOrigins/passRequestOrigin |
/websocket/admin/status /websocket/probe /ws /ws/echo-headers |
字段与 probe/握手行为一致 | 策略与握手行为不一致 |
curl -s -H "Origin: https://evil.example" __BASE__/websocket/probe
|
| 协议传输 | TLS/HTTPS识别 | scheme/proto |
/tls/info |
scheme/xForwardedProto 正确 | 协议识别错误 |
curl -s __BASE__/tls/info
|
| 协议传输 | 域名策略 | Host |
/domain/check |
host 与策略一致 | Host 不一致 |
curl -s -H "Host: demo.200cdn.xyz" __BASE__/domain/check
|
| 运维 | 请求限制 | enabled,maxConcurrent,... |
/req-limit/admin/status |
429/413/限速行为正确 | 限制未触发或误触发 |
curl -s __BASE__/req-limit/admin/status
|
| 运维 | 统计与日志 | X-Log-Trace |
/stat/traffic /log/ping |
统计递增、日志可检索 | 统计不变或日志不可追踪 |
curl -s -H "X-Log-Trace: t1" __BASE__/log/ping
|
| 运维 | 源站状态码探针(4xx/5xx) | /trigger-400|500|502|503 /forbidden /not-found |
/trigger-400 /trigger-500 /trigger-502 /trigger-503 /forbidden /not-found |
返回码与路径语义一致 | 状态码不符合预期 |
curl -s -o /dev/null -w "%{http_code}\n" __BASE__/trigger-500
|
| 运维 | 出站规则-status/redirect 样本 | status=301/400/403/404/500/502/503 |
/redirect /trigger-* /forbidden /not-found |
可稳定触发对应状态码 | 无法稳定触发目标状态 |
curl -sI __BASE__/redirect
|
| 运维 | 出站规则-responseBody 敏感样本 | idCard/phone/sql/path/internalIP/trace/secret/card |
/api/user-info /api/contact /api/db-error /api/path-leak /api/internal-info /api/exception /api/config /api/payment /api/full-info |
命中关键字时按规则拦截或记录 | 关键字未命中或误判 |
curl -s __BASE__/api/full-info
|
| 运维 | 出站规则-bytesSent 与大包体 | bytesSent 阈值 |
/api/large-data |
超过阈值可触发拦截 | 长度阈值规则不生效 |
curl -s -o /dev/null -w "%{size_download}\n" "__BASE__/api/large-data?bytes=2097152"
|
| 集群节点 | 集群设置 | cluster.* |
/cluster/admin/status /cluster/probe/dispatch |
配置与调度行为一致 | 状态不同步或调度不符 |
curl -s -X POST "__BASE__/cluster/admin/config?scheduler=hash"
|
| 集群节点 | 节点设置 | node.* |
/node/admin/status /node/probe/dispatch |
配置与可用性一致 | 禁用后仍200或状态不符 |
curl -s -X POST "__BASE__/node/admin/config?enabled=0"
|
点击“执行验证”查看回放结果…