I wrote an article on the dangers of sending emails from the client in your Meteor application. It spends a bit of time digging into various aspects of how Meteor methods are accessible from the client (Meteor.connection._methodHandlers, source snooping, etc…).
Always be cautious of giving too much power to your client, and remember that Meteor methods are always accessible from the client, even if you take measures to hide them.
What a phenomenal article! If you have any ideas about improvements to the docs or meteor guide to make security easier and make these issues more discoverable, that would be awesome.
Thanks guys. I haven’t made it to the security section of the guide yet. Once I do, I’ll be sure to let @sashko know if I see any room for improvement (although the rest of the guide has been solid so far).