4. Outline
• Security in modern Javascript apps
• Security tools in Meteor
• allow/deny rules and methods
• MongoDB injections and check
• browser-policy
Wednesday, October 23, 13
6. Auth in modern
Javascript apps
Client-side rendering and long-lived
connections
Are cookies the best choice?
Wednesday, October 23, 13
7. Client code in modern
Javascript apps
Shared code on client and server
But client code isn’t trusted
Wednesday, October 23, 13
8. Databases in modern
Javascript apps
Document-oriented database (e.g.
MongoDB)
Not as battle-hardened as more established
SQL databases
Wednesday, October 23, 13
11. Locking down client
code
Tool #1: Not all code has to run in all
places.
Meteor.isServer / Meteor.isClient
server/ directory
Wednesday, October 23, 13
12. Locking down client
code
Tool #2: Client can use database API
freely by default, but it can be locked
down after prototyping.
Wednesday, October 23, 13
13. Locking down client
code
Tool #2: Client can use database API
freely by default, but it can be locked
down after prototyping.
(demo)
Wednesday, October 23, 13
21. Browser policy
Content-Security-Policy: defaultsrc ‘none’; script-src ‘self’
https://mycdn.com ‘unsafe-inline’;
img-src ‘self’ https://mycdn.com;
“Browser, only let my site run code and load images
from my server and mycdn.com, and also allow inline
scripts on my site.”
Wednesday, October 23, 13
22. Browser policy
Because headers are a pain to configure by
hand:
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.allowEval();
BrowserPolicy.content.disallowObject();
BrowserPolicy.framing.disallow();
Wednesday, October 23, 13
23. Browser policy
More to come in browser-policy:
•
•
•
CSP reporting?
Framebusting code?
Use Meteor templating system to enforce
policies that CSP does not?
Wednesday, October 23, 13
24. Conclusion
•
Modern Javascript apps are new web security
territory.
•
Tools in Meteor for locking down client
code, preventing database attacks, configuring
new browser security features.
Wednesday, October 23, 13