5. Secure design principles
○ Data and code are separate
○ Easy to reason about client/server boundary
○ Stateful connections that must be
deliberately authenticated
6. Securely structuring your app
○ Server code is trusted, client code is not
○ server/ or Meteor.settings for secrets
○ Meteor.isServer doesn't make code private
○ Use publications and allow/deny to lock
down database API
○ Allow/deny rules not applied to server code
17. Sanitize untrusted URLs and CSS
○ Don't try to filter out "javascript:",
"expression", etc.
○ Do strict checking: urls start with http, css
values come from a list of safe values
○ Use Content Security Policy
Ex: Content-Security-Policy: default-src
'self'
25. Using audit-argument-checks
Inserted {"name": {"foo":
"bar"}}
Exception while invoking method
'insertName'
Error: Did not check() all
arguments during call to
'insertName'
insertName({
foo: "bar"
})
26. What was that Meteor 0.6.4.1 release
all about?
Meteor.methods({
saveUser: function(profile) {
delete profile.admin;
Users.insert(profile);
}
});
<malicious input>
{"admin": "true!", "x01...": null,
...}
27. Conclusion
○ Meteor security design principles
○ Securing boundary between client and server
○ Data/code separation
○ Some attacks to watch out for
○ Always validate untrusted user input
○ security-resources.meteor.com