Meteor Security Essentials
Slides: http://talks.themeteorchef.com/meteor-security-essentials
Security should be a major part of every Meteor developer's planning. Without security, our applications are vulnerable to all kinds of attacks. This talk will go over some security essentials that you can (and should) use in your own applications. We'll take a look at:
Autopublish & Insecure
Why to remove two packages that ship with Meteor that render your app a field day for any in-the-know attacker.
Allow/Deny Rules
Defining rules for how the database can be manipulated from the client.
Publications & Subscriptions
Making use of Meteor's publish
and subscribe
methods to control what data is accessible on the client when.
Check & Audit Argument Checks
Installing the check
package and its companion audit-argument-checks
to validate arguments passed to server-side methods.
Browser Policy
Installing and configuring the browser-policy
package to control which content can be loaded in your app and whether your app can be framed.
Settings.json
Storing sensitive information like API keys in settings.json
and how to share specific information with the client and the server.
Additional Security Techniques
Techniques that can be added in addition to what's outlined above on an as-needed basis:
- Adding accounts
- Adding schemas to your collections
- Using "Hooks" in Iron Router
- Creating server-only methods
- Add client-side validation to forms
What's in here?
This repository includes example implementations of each of the concepts above. Each example is fairly generic, so make sure to research how the techniques we'll discuss will play into your application before you go into production.
Note: additional security functionality has been added to this app by the following packages:
- Audit Argument Checks -
meteor add audit-argument-checks
- Browser Policy -
meteor add browser-policy
- Check -
meteor add check
Additional packages have been added as part of Base, the starter kit used to create this example.
Resources
If you're interested in learning more about security and how to implement it in your application, the following resources are recommended: