Update security-checklist-zh.md

jiacheo · web-flow · commit b6cd3c45178f · 2016-08-03T09:50:38.000+08:00
diff --git a/security-checklist-zh.md b/security-checklist-zh.md
@@ -13,10 +13,10 @@
 - [ ] 当解析用户注册/登陆的输入时，过滤 javascript://、 data:// 以及其他 CRLF 字符. 
 - [ ] 使用 secure/httpOnly cookies.
 - [ ] 移动端使用`OTP`验证时，当调用`generate OTP` 或者 `Resend OTP` API时不能吧OTP（One Time Password）直接返回。（一般是通过发送手机验证短信，邮箱随机code等方式，而不是直接response）  
-- [ ] Limit attempts to `Login`, `Verify OTP`, `Resend OTP` and `generate OTP` APIs for a particular user. Have an exponential backoff set or/and something like a captcha based challenge.
-- [ ] Check for randomness of reset password token in the emailed link or SMS.
-- [ ] Set an expiration on the reset password token for a reasonable period.
-- [ ] Expire the reset token after it has been successfully used.
+- [ ] 限制单个用户`Login`、`Verify OTP`、 `Resend OTP`、`generate OTP`等API的调用次数，使用Captcha等手段防止暴力破解.  
+- [ ] 检查邮件或短信里的重置密码的token，确保随机性（无法猜测）  
+- [ ] 给重置密码的token设置过期时间.
+- [ ] 重置密码成功后，将重置使用的token失效.
 
 
 ##### USER DATA & AUTHORIZATION
