> clearly has never visited github
###In all due seriousness,
that’s not to say that meteor apps can’t be quite secure, or at the same time, that, meteor does have some legitimate security concerns that have to be considered. @corvid’s comment is quite poignant, most of the blog posts about meteor security at the top of google were written months, if not years ago.
This is what Meteor gives you.
They got all the things you need, but its a bit rough around the edges. But, everything is sturdy. They even threw in windows! But it’s not their fault if you don’t install/use the windows’ lock. They even give you the instruction manual!
MDG would have a problem if I could go outside, punch a hole through the siding, then tear my way in though the wall. But that’s not the case…
@tab00 if you’re trying to build a bank, you don’t just put down carpet in this room, add some desks and call it day! If you’re a bank, you want steel reinforced concrete walls. If you want, you can do that with meteor! But, it just doesn’t come out of the box. You don’t have to go crazy though; start by taking your drill and putting some iron bars on the outside of that window, then move on from there… ssl I mean…
bleh enough analogy
It’s not that hard to get something running that is pretty damn secure
- HTTPS (forced preferably)
- strong validation of user input
- separation of server and client data AND code
- meteor is isomorphic, that means the client can do
Right Click-> View Source and see like half of the code your app is running on. Out of the box, this is a pretty big issue for something like your proposed app. But you can split the code into
/server. Try to keep the both category as slim as possible.
- mongo + subscribe/publish doesn’t map as well as say a traditional RDBMS for storing sensitive information. You really got to think about exactly what needs to be published,
*-never trust any data from the user, with meteor you live in a glass house (sorta) so a malicious user can poke around and find a bug in your logic, send in data that exploits that.
Edit: Listen to @miningsam, he’s got a lot pretty comprehensive list of some of the issues you’ll run into / want to protect against.
I don’t know what your app involves, maybe meteor is a good fit for it. But don’t come here and say:
MDG’s attempt to save some money by taking advantage of free labor can backfire on all of us who rely on Meteor
MDG is far from perfect, but they’re not trying to exploit us! this is an OPEN SOURCE project, go look that up.