I wrote an article on the dangers of sending emails from the client in your Meteor application. It spends a bit of time digging into various aspects of how Meteor methods are accessible from the client (
Meteor.connection._methodHandlers, source snooping, etc…).
Always be cautious of giving too much power to your client, and remember that Meteor methods are always accessible from the client, even if you take measures to hide them.
Take a look and let me know what you think!
What a phenomenal article! If you have any ideas about improvements to the docs or meteor guide to make security easier and make these issues more discoverable, that would be awesome.
+1. This is excellent. I don’t remember offhand if these points are incorporated into the Meteor Guides on security, but they should be!
Thanks guys. I haven’t made it to the security section of the guide yet. Once I do, I’ll be sure to let @sashko know if I see any room for improvement (although the rest of the guide has been solid so far).