I’m not entirely sure I’ve got this correct, but I read that Meteor doesn’t use session cookies (?) and therefore it’s immune to CSRF attacks?
Not only that, but how secure is it in general? For example CSRF, XSS and so on. Are there any security measurments I have to do myself or is everything in Meteor safe to use (if you use the stock functions/api available)?
If not, how would one go on about implementing such security for forms etc?
If you need for submitting, have a read on Meteor Methods.
There’s no actual need to make form submitting in REST protocol while on Meteor.
Yes, meteor does not uses session cookies, but does uses cookies Authentication storage, as does every web application.
this.userId to verify a user has authenticated, specially at the beginning of your Method function, more info on this on Accounts package in Meteor API docs.this.userId is 101, double checking permissions such as let record = Records.findOne({}); record.owner === this.userId is another example)I’ve hosted sensible information and fiscal documents on my app for over a year now, no inherent security problems with Meteor and configuring it has been a breeze. However, if I forget to add (this.userId) tests at any method, then those methods will be public. 
Thanks for the very helpful response! That’s a handful of things I’ll need to learn more about.
Don’t feel overwhelmed, You can do it while you code.
I recommend also doing the tutorials, specially if you’re using a framework such as React of Angular for front-end. They work excellent with Meteor,
Note: When using React with Meteor, there’s no real reason to use Redux, once you get a good grasp on Methods, Publish and subscribe 
Good luck and happy coding!
Also, maybe this guide could help you in some way :
@gabrielbalsa Do you recommend using React with MeteorJs? Does React code provide more security on the client side of Meteor like hiding code on the Source Tab of Browser Inspect View? I am using Blaze and when the code is on the production I can still see my meteor method calls and events and other stuff on the client that I coded it’s not strongly minified since I can still recognize the code. I searched other famous apps built with Meteor and tried to Inspect View on Source Tab and I was not able to see the code on the client that they did(I did this to see how other apps deal with this issue )
There is no security on the client side. Everything you sent to client, included codes and data, they will find the way to read them. They can also fake everything they send to server.
I believe you are not using --production flag because you were probably running it locally, right?
This is why your code was not minified.
If you use meteor build or meteor deploy your code is going to be minified unless you use the --debug flag.
You can use Meteor Cloud for free so you can see this in action.
Thanks for the feedback. Our app is currently deployed with docker, so it might use different build system. does it affect the minification? Do we need other minification package or what am I missing?
Please refer to the difference of code minification of this two famous meteor app
Lemlist (not minified) https://app.lemlist.com/
Chatra (minified) https://app.chatra.io/
At my company, we just completed our second professional security audit (i.e. week-long penetration testing), and there was almost nothing meteor-specific.
The only exception is this issue, which I hope is being worked on (and there already are alternative meteor packages, if this is a major concern): https://github.com/meteor/meteor-feature-requests/issues/372
We have decided the threat wasn’t high enough for us to worry about it and jump ship.
So working with Meteor really means you’re exposed to the same security challenges as every other stack that exists. I.e. yes. Meteor is totally safe to use 