Essential security techniques for Meteor applications.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.meteor
client
collections
server
.editorconfig
README.md
application.html
settings.json
smart.json
smart.lock

README.md

Meteor Security Essentials

Slides: http://talks.themeteorchef.com/meteor-security-essentials

Security should be a major part of every Meteor developer's planning. Without security, our applications are vulnerable to all kinds of attacks. This talk will go over some security essentials that you can (and should) use in your own applications. We'll take a look at:

Autopublish & Insecure

Why to remove two packages that ship with Meteor that render your app a field day for any in-the-know attacker.

Allow/Deny Rules

Defining rules for how the database can be manipulated from the client.

Publications & Subscriptions

Making use of Meteor's publish and subscribe methods to control what data is accessible on the client when.

Check & Audit Argument Checks

Installing the check package and its companion audit-argument-checks to validate arguments passed to server-side methods.

Browser Policy

Installing and configuring the browser-policy package to control which content can be loaded in your app and whether your app can be framed.

Settings.json

Storing sensitive information like API keys in settings.json and how to share specific information with the client and the server.

Additional Security Techniques

Techniques that can be added in addition to what's outlined above on an as-needed basis:

What's in here?

This repository includes example implementations of each of the concepts above. Each example is fairly generic, so make sure to research how the techniques we'll discuss will play into your application before you go into production.

Note: additional security functionality has been added to this app by the following packages:

  • Audit Argument Checks - meteor add audit-argument-checks
  • Browser Policy - meteor add browser-policy
  • Check - meteor add check

Additional packages have been added as part of Base, the starter kit used to create this example.

Resources

If you're interested in learning more about security and how to implement it in your application, the following resources are recommended: