Exposing /api folder security risks

I wonder if anyone had a similar experience.

It’s typical of meteor applications to expose an api folder containing some mongo db and at times simpl-schema based db schema.

From a privacy perspective this is a security flaw because it exposes the system architecture to anyone who gets a copy of the apis.

One fix that I’m working on is to only expose the mongo db in the /api folder while having the schema implementation on the server side and importing the /api folder.

Has anyone tried something similar to this? Are there better alternatives?


Well, we (at work that is) used to write files just with the new Mongo.Collection("xxx") line. And attaching the schema on a similar file that is imported only on the server. So you end up with two collection descriptions: one on the client and the other on the server with a specific schema. That way the client knows there should be a collection but has no access to the schema of that collection. Everything works as long as you import the correct files in the correct places. The methods and publications were also imported only on the server. You lose the concurrent Meteor method this way, so the application might need some adjusting for slow network.