How safe is Meteor to use?

I’m not entirely sure I’ve got this correct, but I read that Meteor doesn’t use session cookies (?) and therefore it’s immune to CSRF attacks?

Not only that, but how secure is it in general? For example CSRF, XSS and so on. Are there any security measurments I have to do myself or is everything in Meteor safe to use (if you use the stock functions/api available)?

If not, how would one go on about implementing such security for forms etc?

If you need for submitting, have a read on Meteor Methods.
There’s no actual need to make form submitting in REST protocol while on Meteor.

Yes, meteor does not uses session cookies, but does uses cookies Authentication storage, as does every web application.

  1. Enable Meteor methods
  2. Remove “insecure” package, which is a quick prototype for subscribing to everything, as this is useful on first stages of prototype.
  3. Configure your publish / subscribe methods to use this.userId to verify a user has authenticated, specially at the beginning of your Method function, more info on this on Accounts package in Meteor API docs.
  4. Do not use REST for internals, use / Meteor.methods({}), also on API DOCs.
  5. If your needs for cross-domain accessibility are more specific, search foroAuth configurations and packages for Meteor, specially that one from MDG
  6. Configure your Meteor methods accordingly, security is as good as you configure them to be, (e.g.: Testing for this.userId is 101, double checking permissions such as let record = Records.findOne({}); record.owner === this.userId is another example)
  7. Always host production on an HTTPS server, I recomend using NGINX to double security.

I’ve hosted sensible information and fiscal documents on my app for over a year now, no inherent security problems with Meteor and configuring it has been a breeze. However, if I forget to add (this.userId) tests at any method, then those methods will be public. :wink:


Thanks for the very helpful response! That’s a handful of things I’ll need to learn more about.

Don’t feel overwhelmed, You can do it while you code.

I recommend also doing the tutorials, specially if you’re using a framework such as React of Angular for front-end. They work excellent with Meteor,

Note: When using React with Meteor, there’s no real reason to use Redux, once you get a good grasp on Methods, Publish and subscribe :slight_smile:

Good luck and happy coding!

1 Like

Also, maybe this guide could help you in some way :