In the Meteor guide it says;
Code that runs on the server can be trusted. Everything else: code that runs on the client, data sent through Method and publication arguments, etc, can’t be trusted
Secret business logic in your app should be located in code that is only loaded on the server. This means it is in a server/ directory of your app, in a package that is only included on the server, or in a file inside a package that was loaded only on the server.
Sensitive methods/algorithms etc. must be put in the server side. My first question is, how can we ensure security on the client side when calling a method lets say
createUser() on the server-side through an import statement? When I imported a function/object etc. does it mean that I make this function available to client-side thus make it vulnerable?
My second question; is there any difference between using Meteor.method and Validated-Method in terms of security? We don’t need to use an import statement when calling a standard Meteor Method but we need to import it if we call a Validated-Method. For the same
createUser() example, should I define it in a Meteor Method for security?