Exclusive Interview | The Journey of Building CaoLiao QR Code's Content Security System
Original: https://cli.im/article/detail/2062
Note: WeChat Coral Safety is a small official communication site by Tencent focusing on internet content security. It deeply considers content security systems, popularizes security knowledge, discusses methodologies and experiences related to content security with the industry, and contributes to the healthy development of the WeChat ecosystem.
Scan a code to ride public transport, scan a code to open a webpage, scan a code to enter a residential area... QR codes have extended their reach into every aspect of life. You, reading this post right now, might have just completed a payment via QR code. Have you ever tried generating your own QR code?
Today, Xiao Shan's conversation is with the Mini Program team behind CaoLiao QR Code, dedicated to helping users generate and manage their own QR codes (supporting content like text, URLs, images, etc.). Their founding team foresaw the great potential of QR code technology as early as 2011. So, how did they build and refine their content security system throughout CaoLiao QR Code's development?
The Mini Program Platform Building Resumes for Everything
Opening the CaoLiao QR Code official website, you'll find this introduction on the homepage – a QR code generation and management platform free for everyone to use. As a convenient tool, CaoLiao QR Code provides users with integrated online services including QR code generation, content management, data storage, label printing layout, scan record management, and data analysis.
CaoLiao QR Code's vision is to build resumes for everything. Currently, they have over 8 million registered users and tens of thousands of paying enterprises, including well-known companies like China Railway, China State Construction, State Grid, IKEA, and PetroChina.
In 2017, recognizing WeChat's nearly nationwide user coverage, CaoLiao QR Code developed and launched its WeChat Mini Program in addition to its H5 web version. As the development team stated, "The WeChat Mini Program ecosystem allows us to more conveniently build permission systems for QR code access, recording, and related capabilities. The built-in plugins and APIs of Mini Programs also enable a better user experience."
Currently, CaoLiao QR Code boasts over 1.7 million daily active users, with 240 million QR code scans in 2019, ranking among the top 4 tool-based Mini Programs nationally. To date, it has generated billions of QR codes, covering industries such as trade and retail, construction, manufacturing, education and training, and lifestyle services.
Supporting such a large daily active user base is CaoLiao QR Code's mature technical framework:
The frontend is developed using the native Mini Program system, upon which an internal, higher-level development framework is built to enhance development efficiency and experience, featuring designs like global reactive data flow and cross-page communication mechanisms. On the backend architecture, services are horizontally split and fully containerized on the cloud, utilizing technologies like Kubernetes, cloud storage, cloud databases, message queues, and load balancing.
Regarding content security, CaoLiao QR Code combines machine review provided by cloud services with manual review. They have also summarized and developed a set of methods for identifying characteristics of违规 content, automatically screening and processing it, enabling quick identification of违规 users and ensuring platform content security.
The Path to Self-Improvement of the Content Security System
As more and more users flooded in, the pressure on content security naturally increased.
In the early days, the CaoLiao QR Code security team primarily relied on manually reviewing content edit logs entry by entry to conduct content审核, which was an enormous workload, requiring the team to invest more human resources.
Later, they introduced a review system based on content access volume, moving away from reviewing every single entry. This meant content was only reviewed once it reached a certain threshold of views. However, this method also had drawbacks, as it couldn't always promptly catch sensitive content.
In the autumn of 2018, a minor bug in the security system and a warning from relevant authorities triggered by one piece of违规 content gave the CaoLiao QR Code team a serious scare. The security team responded and handled the situation quickly, conducting thorough reviews of the related issues and incidents. From then on, the CaoLiao QR Code team placed greater emphasis on testing the security system and performing daily stability checks. Simultaneously, the review system began integrating machine review for sensitive content.
In early 2019, multiple black industry groups were active, and the system at the time couldn't effectively combat them. Based on the observation that black industry teams generally have distinct group characteristics, the security team built a characteristic risk model to analyze these traits and proactively block accounts and content matching those characteristics. The CaoLiao security team also strengthened communication, liaison, and cooperation with government regulatory authorities, assisting in the takedown of several black industry groups.
Concurrently, the technical lead formed a small team of 6 people to refactor the content security system. After three months, they established the current review system, which combines a 'User Trust System + Machine Review supplemented by Human Intervention + Characteristic Risk Model'. Thus, the team built a relatively comprehensive content security system that remains in use today.
Regarding machine review, the CaoLiao QR Code security team revealed that as their Mini Program user base grew rapidly, they were preparing to try integrating the Coral Safety API for machine review in the later stages. This is because the accuracy of machine review can be unstable; recognition accuracy varies between different APIs, some products have high false-positive rates, and they might fail to identify certain specific scenarios. The Coral Safety API, being a product refined within the WeChat ecosystem, naturally aligns well with the content security needs of Mini Programs.
"A team's energy is, after all, limited. Most of the time, resources can only be invested in the most critical tasks. Therefore, a content security API like Coral Safety, based on the WeChat ecosystem, can actually significantly alleviate our cost pressures," said a member of the CaoLiao QR Code content security team.
Sharing the Content Security Expert's Guide to Avoiding Pitfalls
After years of continuous improvement, CaoLiao QR Code's security system has grown increasingly robust. Repeated 'real-world battles' have allowed the security team to accumulate substantial experience in content security prevention and control. CaoLiao QR Code even shared their own guide to avoiding pitfalls with Xiao Shan (Pay attention!).
WHERE: Identify where the risks come from; WHY: Based on your business, determine how malicious content might appear in your product (prioritize); ORDER: Based on risk level and your business, formulate corresponding security framework requirements (prioritize); HOW: Based on security requirements, proceed with security system development and third-party service procurement (assess importance/feasibility); STABILITY: Ensure all newly launched features correctly integrate into this system, preventing content oversight; CHECK: Conduct regular functional checks and content patrols to ensure system stability and that no other vulnerability bugs are being exploited.
From this set of guidelines, it's clear that the CaoLiao QR Code team, with its massive user base, places great importance on content security. In fact, security awareness must precede all feature development and user operations. We hope the above insights inspire Mini Program developers/operators reading this article~
Article reprinted from WeChat Coral Safety: "Exclusive Interview | The Journey of Building CaoLiao QR Code's Content Security System"