I’ve never allow clients to submit modifier. It’s too much magic.
Looking forward to seeing this!
Looking forward for the release.
Just a side note since this is a little ironic
And such articles could also act as a replacement for all those outdated articles out there and show, that Meteor is a battleproof framework.
Hahaha, good catch. Should be all fixed now.
Eagerly bought this today - it’s out. So full of good stuff. Huge value for the money!
Thank you, @pcorey!
Thanks @illustreets! It’s good to hear that people are finding it valuable.
I did release the book this morning. For anyone who’s interested, you can grab your copy here. I’m super excited to get this resource into everyone’s hands.
Thanks for all of the support everyone!
Got a copy! Looking forward to learning new stuff!
Just bought a copy now and looking forward to going through it. Thanks for writing it @pcorey, hope it sells well.
I was so excited that I bought it before checking my email with the discount code
Even full price is pretty cheap so I don’t mind
Looking forward to read this soon
Same for me. Didn’t even occur to me.
Bought the book!
Excellent stuff so far @pcorey. MDG should make this recommended reading.
Hopefully this motivates @sacha to start work on Discover Meteor II.
Congrats on the release!
I think the chances of this happening are pretty small, but if I did write that book it would be pretty much indistinguishable from the Vulcan.js documentation so you might as well check that out instead
Hey everyone, the first week of Secure Meteor went above and beyond my expectations. Based on the feedback I’m getting, it sounds like people are really finding the book helpful, which is great to hear. I just wanted to say thanks for all of the support and feedback. It means a lot!
Just bought it! Excited to give it a read. Your blog posts and the security audits you’ve done for us over the years have been immensely helpful.
We bought a copy for our team at comatch.com
On a side node, it’s great to see that Meteor resources are still in demand. If you can disclose, I would be quite interested to some figures.
Hello Pete, thank you for the good work. I just bought your book to see if I can even improve the (I think already ok security) of my meteor apps.
Is there anything related to DoS / DDos and rate limiting websocket requests? I also found not much in the forums on this, besides The Missing Link in Meteor's Rate Limiter (which was also by @pcorey)
I basically want to lock out users that exceeded the limit using nginx instead of using the software layer. But I am still unsure how to keep the bridge from my Meteor Environment to my nginx config.
I could just add IPs to a blacklist using
fs and let nginx use this file to know when to lock-out IPs but this gives me somehow a bad feeling. And using services like Cloudflare are unfortunately an anti-requirement in my projects
Any suggestions on that in the book or anything planned @pcorey ? Since you opened the linked forum thread I’d like to know how you solved it in the end.
There’s nothing about that in the book. In my mind, that’s more of an issue fixed at an infrastructure level (with nginx rate limiting, like you’re saying), and I wanted to keep the book focused on application-level security. That may be an arbitrary distinction, but I needed to draw the line somewhere.
In the past I’ve set up some basic rate limiting on the
/websocket route to reduce the potential for abuse, but I didn’t integrate that into the application in any way. I’m not sure what the best way to do that would be, to be honest.