Starting work on Secure Meteor

I’ve never allow clients to submit modifier. It’s too much magic.

Looking forward to seeing this!

1 Like

Looking forward for the release.

Just a side note since this is a little ironic :sweat_smile:
Screenshot%20from%202019-02-28%2017-40-54

9 Likes

And such articles could also act as a replacement for all those outdated articles out there and show, that Meteor is a battleproof framework.

4 Likes

Hahaha, good catch. Should be all fixed now.

Eagerly bought this today - it’s out. So full of good stuff. Huge value for the money!

Thank you, @pcorey!

3 Likes

Thanks @illustreets! It’s good to hear that people are finding it valuable.

I did release the book this morning. For anyone who’s interested, you can grab your copy here. I’m super excited to get this resource into everyone’s hands.

Thanks for all of the support everyone!

10 Likes

Got a copy! Looking forward to learning new stuff!

1 Like

Just bought a copy now and looking forward to going through it. Thanks for writing it @pcorey, hope it sells well.

1 Like

I was so excited that I bought it before checking my email with the discount code :laughing:

Even full price is pretty cheap so I don’t mind

2 Likes

Looking forward to read this soon

Screenshot%20from%202019-03-06%2018-32-23

3 Likes

:laughing: Same for me. Didn’t even occur to me.

1 Like

Bought the book!

Excellent stuff so far @pcorey. MDG should make this recommended reading.

Hopefully this motivates @sacha to start work on Discover Meteor II.

3 Likes

Congrats on the release!

I think the chances of this happening are pretty small, but if I did write that book it would be pretty much indistinguishable from the Vulcan.js documentation so you might as well check that out instead :wink:

2 Likes

Hey everyone, the first week of Secure Meteor went above and beyond my expectations. Based on the feedback I’m getting, it sounds like people are really finding the book helpful, which is great to hear. I just wanted to say thanks for all of the support and feedback. It means a lot!

11 Likes

Just bought it! Excited to give it a read. Your blog posts and the security audits you’ve done for us over the years have been immensely helpful.

2 Likes

We bought a copy for our team at comatch.com :slight_smile:

On a side node, it’s great to see that Meteor resources are still in demand. If you can disclose, I would be quite interested to some figures.

3 Likes

Hello Pete, thank you for the good work. I just bought your book to see if I can even improve the (I think already ok security) of my meteor apps.

1 Like

Is there anything related to DoS / DDos and rate limiting websocket requests? I also found not much in the forums on this, besides The Missing Link in Meteor's Rate Limiter (which was also by @pcorey)

I basically want to lock out users that exceeded the limit using nginx instead of using the software layer. But I am still unsure how to keep the bridge from my Meteor Environment to my nginx config.

I could just add IPs to a blacklist using fs and let nginx use this file to know when to lock-out IPs but this gives me somehow a bad feeling. And using services like Cloudflare are unfortunately an anti-requirement in my projects :frowning:

Any suggestions on that in the book or anything planned @pcorey ? Since you opened the linked forum thread I’d like to know how you solved it in the end.

There’s nothing about that in the book. In my mind, that’s more of an issue fixed at an infrastructure level (with nginx rate limiting, like you’re saying), and I wanted to keep the book focused on application-level security. That may be an arbitrary distinction, but I needed to draw the line somewhere.

In the past I’ve set up some basic rate limiting on the /websocket route to reduce the potential for abuse, but I didn’t integrate that into the application in any way. I’m not sure what the best way to do that would be, to be honest.