Meteor - Security


In this chapter, we will learn how to secure our app and what should be taken into consideration while developing an app.

Autopublish and Autosecure

Autopublish is a package that automatically publishes all data from the database to the client. This is a convenience that should be disabled when in production. It can be disabled from the command prompt.

C:\Users\username\Desktop\meteorApp>meteor remove autopublish

You can publish some data to the client by using Meteor.publish() and Meteor.subscribe() methods that we will cover in the Publish and Subscribe chapter.

Insecure is a package that allows MongoDB commands to be written in developer’s console, so that every user of the app is able to access the database. The package can be removed by running the following command in the command prompt.

C:\Users\username\Desktop\meteorApp>meteor remove insecure

Good practice is to remove both of the packages as soon as you start developing your app, so you don't have to change and update your code later.

Use Server Side Methods

You should always create your methods on the server. You can do it by using the Meteor.methods() on the server and on the client. We will learn more about this in the Methods chapter.

Additional Security

If you want to add additional layers of security to your app, you should consider using some other Meteor packages such as −

  • Browser Policy can be used to control the external resources that should be loaded to your app.

  • Check package can be used to check the user input types before they are processed.

  • Audit Arguments Check is a package that will ensure all parameters are correctly checked before processed. If you missed some parameters, this package will inform you.

  • Mylar packages can add some additional layers of security. You can check them out if you need that kind of protection.