Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best Practices for Securing a Meteor/Node Server [closed]

Tags:

javascript

linux

security

node.js

meteor

What are the best practices for securing a Meteor.js app, assuming that we have already taken care of CSRF attacks, have proper user input validation, removed auto-publish and insecure packages?

like image 320
Nyxynyx Avatar asked Jan 23 '26 13:01

Nyxynyx

1 Answers

You seem to have done most of the stuff already.

Additionally:

  • Don't forget to use an SSL proxy in front of your Meteor app (that supports websockets).
  • Make sure your database can only be accessed by your meteor app (firewall ip restriction).
  • If you have any Meteor methods, make sure you check the user running them has permission to do so, especially when you are changing the database.
  • If you are using non-meteor packages for authentication/user management make sure passwords are not stored in plain-text.
  • Use check in all your Meteor methods, publish functions, & your allow & deny rules to ensure the data type and their structure is enforced so nothing else can cause damage. Using the audit-argument-checks package can help make you enforce strictness on this too.
  • Make sure your Meteor server's time is correct.
  • On your server side, make sure you don't declare variables inside of closures without the use of the var keyword (as the variables may jump between users).
  • Make sure you always handle the case where documents are not found on the server (i.e don't do collection.findOne(xx).yy (as this can crash and reveal information, you should check the document exists first).
  • Make sure eval isn't used anywhere (I think that one should be obvious enough) - Especially with meteor since stuff run in eval such as a globally scoped variable, even from a project, can be accessed anywhere (which is goes against how the warehouse engine system works).
  • Never publish services (in the users collection) to any client, only a subportion of it without the resume set. (This is sometimes done with 3rd party logins to expose more user info to the client, but it can reveal a bit too much).

Not sure of any others, the main ones are removing the insecure and autopublish packages to make your own rules.

Sorry that doesn't look very nice, im not sure how to put a space underneath each item.

like image 200
Tarang Avatar answered Jan 26 '26 02:01

Tarang
Sign in to Comment

Related questions

JavaScript/jQuery Variable Scope Issue with Nested .ajax() calls
WAMP vs. Live server facebook connect
jQuery Validation Plugin - remove 'http://' requirement with URL's
Resizing D3 force layout
Vue3 composition API - accessing child ref

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!