Skip to main content

Overview

Security in Meteor follows a simple principle: trust the server, validate everything from the client. Understanding the attack surface and implementing proper security measures is critical for any production application.

Security Domains

In a Meteor application, there are two security domains:
  1. Server: Trusted environment where code runs securely
  2. Client: Untrusted environment that can be manipulated
Never trust data coming from the client. Always validate and authorize on the server.

Attack Surface

Secure these three main entry points:

1. Methods

Any data through Method arguments needs validation:

2. Publications

Publications must not return unauthorized data:

3. Served Files

Ensure no secrets in client-accessible code:

Remove Insecure Packages

Remove insecure and autopublish packages immediately in any production app.

Disable Allow/Deny

Avoid client-side database operations:

Validating Method Arguments

Using check()

Using SimpleSchema

Never Trust this.userId from Client

Authorization Patterns

Check Ownership

Role-Based Access Control

Rate Limiting

Protect against brute force and spam:

Securing Publications

Field Filtering

Validate Publication Arguments

Check User Permissions

Secrets Management

Environment Variables

Never Commit Secrets

Input Sanitization

Prevent XSS (Cross-Site Scripting)

Prevent NoSQL Injection

HTTPS/SSL

Always use HTTPS in production to encrypt data in transit.

Content Security Policy

Security Checklist

1

Remove insecure packages

2

Validate all Method arguments

Use check() or SimpleSchema for every Method
3

Disable client-side database operations

Use deny() rules on all collections
4

Filter publication fields

Never publish sensitive user data or credentials
5

Implement rate limiting

Protect against brute force and spam
6

Use HTTPS in production

Encrypt all data in transit
7

Manage secrets properly

Use environment variables, never commit secrets
8

Implement authorization

Check ownership and roles before operations
9

Enable audit logging

Log security-relevant actions
10

Keep dependencies updated

Regularly update Meteor and npm packages