Meteor Security Essentials
Security should be a major part of every Meteor developer's planning. Without security, our applications are vulnerable to all kinds of attacks. This talk will go over some security essentials that you can (and should) use in your own applications. We'll take a look at:
Autopublish & Insecure
Why to remove two packages that ship with Meteor that render your app a field day for any in-the-know attacker.
Defining rules for how the database can be manipulated from the client.
Publications & Subscriptions
Making use of Meteor's
subscribe methods to control what data is accessible on the client when.
Check & Audit Argument Checks
Installing and configuring the
browser-policy package to control which content can be loaded in your app and whether your app can be framed.
Storing sensitive information like API keys in
settings.json and how to share specific information with the client and the server.
Additional Security Techniques
Techniques that can be added in addition to what's outlined above on an as-needed basis:
- Adding accounts
- Adding schemas to your collections
- Using "Hooks" in Iron Router
- Creating server-only methods
- Add client-side validation to forms
What's in here?
This repository includes example implementations of each of the concepts above. Each example is fairly generic, so make sure to research how the techniques we'll discuss will play into your application before you go into production.
Note: additional security functionality has been added to this app by the following packages:
- Audit Argument Checks -
meteor add audit-argument-checks
- Browser Policy -
meteor add browser-policy
- Check -
meteor add check
Additional packages have been added as part of Base, the starter kit used to create this example.
If you're interested in learning more about security and how to implement it in your application, the following resources are recommended: