Starting work on Secure Meteor


#1

Hey all,

I’ve been deep in the weeds of Meteor security since I first fell in love with the framework over three years ago. Over the years, I’ve learned quite a bit about Meteor security and many of the common pitfalls Meteor developers fall into when trying to write secure applications.

Secure Meteor is a new project I’ve started in an attempt to distill and capture everything I’ve learned about Meteor security into a solid resource to help developers secure their Meteor applications.

As you can probably tell, the project is still very much in its early days. As a token of thanks for showing interest, I want to send you the most thorough Meteor security checklist I’ve ever put together.

Let me know what you think!


#2

Awesome! I’m signed up.


#3

Rather than requiring users to input their email, why don’t you just put the info right there?
If it’s going to be some subscription based thingy you’d still want to get people interested with some initial contents.


#4

Thank you, @pcorey . Let me just emphasize that material like this is very much appreciated. Definitely will sign up.


#5

I’m literally throwing money at my screen right now - take my money @pcorey, take it!


#6

Singed up and will try to convince the boss to buy the book for everyone when released :smiley:


#7

I’m not giving you my email for nothing.


#8

Sounds great, I’m in! Still remember reading some of your blog posts about Meteor Security and thought they were well thought out and very helpful!


#9

Nothing? that is not a true statement. He was very explicit on what he’ll be using the email for:

As a teaser and a token of thanks for showing interest, I want to give you the most detailed Meteor security checklist available anywhere, for free!

In addition to the Meteor security checklist, I’ll also send you periodic updates on Secure Meteor, content sneak peaks, and original articles related to securing your Meteor application.

He is sharing solid industry experience and in return he is asking for your email so it can be used later to build interest in his future services and products. In my opinion, a very wise and fair thing to do, it’s a fair market exchange. You can refuse to transact but no need to spread misinformation.


#10

Just to add to @alawi’s reply, @pcorey has been in the “Meteor business” for a long time, is hugely respected in the Meteor community, and has produced a huge amount of information around security. I’m sure you can get much of the information he’s offering by reading his many blog posts, but the chance to get this in one place is a real bonus.


#11

Thanks everybody, I appreciate all of the support! It’s good to hear that there’s some interest in a project like this.

If anyone wants some immediate content, check out some of my security-related posts and articles. I’ll probably be reworking many of these and republishing them to securemeteor.com to centralize all of my security focused content.


#12

Hi - a little off topic, but here is an interesting article about npm security:

–jw


#13

That would be some value add I would be more than willing to pay something for. If it’s then keep up to date over time, even more so… :slight_smile:

That (security), and how you can leverage serverless architectures with e.g. outsourcing some computing/functionality from Meteor into e.g. Google Firebase or AWS Lambda are the two most interesting subjects atm I guess :wink:


#14

Yeah, that was definitely a solid article. A while back I started Package Scan, a Meteor package & web tool for detecting Meteor packages in your application with known vulnerabilities. I didn’t really have intentionally malicious packages in mind when I made it, but if any packages like this made their way into the Meteor ecosystem, they could definitely be added.


#15

Hey all!

It’s been over a year since I first made this post, and I’m excited to say that I actually managed to finish Secure Meteor. I’m really excited to announce that I’ll be releasing it publicly early next week!

I’ve been updating the Secure Meteor website, and I’ve added several sample chapters to give you some feel for the contents of the book. Two of my favorite sample chapters are Renaming Your Way to Admin Rights, and Finding Methods, which do well to stand on their own as informational articles.

I’m really excited to get this into everyone’s hands next week!


#16
Meteor.call("editProfile", {
  $set: { shareOnlineStatus: true },
  $rename: { shareOnlineStatus: "isAdmin" }
});

:face_with_symbols_over_mouth:

Guess I’ll go edit my methods


#17

In my opinion the Meteor community stands to gain a lot from a systematically written piece on security. So props for @pcorey for going through with it!


#18

Agreed, I think one for performance is equally needed to consolidate the community knowledge.


#19

What is this? is this a part of Meteor core?


#20

It’s one of the example attack snippets from the Renaming Your Way to Admin Rights chapter.

Yes, rename modifiers are part of Meteor (because they are part of Mongo)