Geek asks and answers

Meteor - What is the Best Way to Protect Forms and Store Confidential Data

I am building my first application using Meteor, and I would like to know what security measures can be taken in several situations ...

  • How can I guarantee that users do not submit commands, such as drop table, to my forms? Do I have to manually sanitize or is it automatically processed?

  • I usually use GET for forms if it asks the user for confidential information, however I am confused by the way Meteor handles inserts of elements in db. Is the information submitted through the forms secure or transmitted, somewhere people can do it?

  • If I deleted automatically published and unsafe packages, this means that users can’t just request other information about the user, is this true?

Sorry if these are noob questions. I didn’t quite turn around how the security of the application all fits, but any help would be much appreciated :)

+3
source share
2 answers

The following is a brief description of the basics of protecting your meteor application:

  • Transfer everything over HTTPS.

  • Separate your client and server code into your own directories. A great way to keep server-side secrets is to never send them to the client in the first place.

  • Remove the package insecure.

  • Remove the package autopublish.

  • Add the audit-argument-checks package and add validation to all methods and publish functions.

  • browser-policy ( ).

:

  • , allow, . , id, .

  • /. meteor, / . , postsInsert . , SSL.

  • . autopublish , , .

+6

, , . , , , : , Collection.remove({}); , Meteor.call ( Meteor.methods) , .

, , OWNER / , . , , , Meteor.methods . Meteor.method , , , , ( , ). , Meteor , , Meteor.methods.

// define a test to check if a document is editable by a certain user
EditableDocument=function(userId){
    return Match.Where(function(documentId){
        var document=Collection.findOne(documentId);
        if(!document){
            throw new Meteor.Error(500,"Document doesn't exist !");
        }
        if(userId!=document.creator._id){
            throw new Meteor.Error(500,"Can't update a document you don't own.");
        }
        return true;
    });
};

Meteor.methods({
    updateCollection:function(documentId,fields){
        check(documentId,EditableDocument(this.userId));
        check(fields,{
            field1:Match.Optional(String),
            field2:Match.OneOf(Number,Boolean),
            field3:Match.Any
        });
        // if the tests pass, do your thing
        ...
    }
});

, Meteor DDP (Data Distributed Protocol) , Remote Method Invocation. Meteor.call Meteor.method, , . , HTTP, HTTPS , . DDP , , *.meteor.com, meteor.com, , SSL. .

https://groups.google.com/forum/#!topic/meteor-core/a9dPA1-mgXA

, , , .

, -, Meteor.

0

More articles:


All Articles