I’ve been deep in the weeds of Meteor security since I first fell in love with the framework over three years ago. Over the years, I’ve learned quite a bit about Meteor security and many of the common pitfalls Meteor developers fall into when trying to write secure applications.
Secure Meteor is a new project I’ve started in an attempt to distill and capture everything I’ve learned about Meteor security into a solid resource to help developers secure their Meteor applications.
As you can probably tell, the project is still very much in its early days. As a token of thanks for showing interest, I want to send you the most thorough Meteor security checklist I’ve ever put together.
Rather than requiring users to input their email, why don’t you just put the info right there?
If it’s going to be some subscription based thingy you’d still want to get people interested with some initial contents.
Nothing? that is not a true statement. He was very explicit on what he’ll be using the email for:
As a teaser and a token of thanks for showing interest, I want to give you the most detailed Meteor security checklist available anywhere, for free!
In addition to the Meteor security checklist, I’ll also send you periodic updates on Secure Meteor, content sneak peaks, and original articles related to securing your Meteor application.
He is sharing solid industry experience and in return he is asking for your email so it can be used later to build interest in his future services and products. In my opinion, a very wise and fair thing to do, it’s a fair market exchange. You can refuse to transact but no need to spread misinformation.
Just to add to @alawi’s reply, @pcorey has been in the “Meteor business” for a long time, is hugely respected in the Meteor community, and has produced a huge amount of information around security. I’m sure you can get much of the information he’s offering by reading his many blog posts, but the chance to get this in one place is a real bonus.
Thanks everybody, I appreciate all of the support! It’s good to hear that there’s some interest in a project like this.
If anyone wants some immediate content, check out some of my security-related posts and articles. I’ll probably be reworking many of these and republishing them to securemeteor.com to centralize all of my security focused content.
That would be some value add I would be more than willing to pay something for. If it’s then keep up to date over time, even more so…
That (security), and how you can leverage serverless architectures with e.g. outsourcing some computing/functionality from Meteor into e.g. Google Firebase or AWS Lambda are the two most interesting subjects atm I guess
Yeah, that was definitely a solid article. A while back I started Package Scan, a Meteor package & web tool for detecting Meteor packages in your application with known vulnerabilities. I didn’t really have intentionally malicious packages in mind when I made it, but if any packages like this made their way into the Meteor ecosystem, they could definitely be added.
It’s been over a year since I first made this post, and I’m excited to say that I actually managed to finish Secure Meteor. I’m really excited to announce that I’ll be releasing it publicly early next week!
I’ve been updating the Secure Meteor website, and I’ve added several sample chapters to give you some feel for the contents of the book. Two of my favorite sample chapters are Renaming Your Way to Admin Rights, and Finding Methods, which do well to stand on their own as informational articles.
I’m really excited to get this into everyone’s hands next week!
In my opinion the Meteor community stands to gain a lot from a systematically written piece on security. So props for @pcorey for going through with it!
