Web security at Meteor (Pivotal Labs)

•

1 j'aime•3,738 vues

Emily Stark

Technologie

Meteor is a full-stack
Javascript framework
for quickly building
quality web apps.
Wednesday, October 23, 13

Outline
• Security in modern Javascript apps
• Security tools in Meteor
• allow/deny rules and methods
• MongoDB injections and check
• browser-policy
Wednesday, October 23, 13

Security in modern
Javascript apps

Wednesday, October 23, 13

Auth in modern
Javascript apps
Client-side rendering and long-lived
connections
Are cookies the best choice?

Wednesday, October 23, 13

Client code in modern
Javascript apps
Shared code on client and server
But client code isn’t trusted

Wednesday, October 23, 13

Databases in modern
Javascript apps
Document-oriented database (e.g.
MongoDB)
Not as battle-hardened as more established
SQL databases

Wednesday, October 23, 13

Security tools in
Meteor

Wednesday, October 23, 13

Locking down client
code
Tool #1: Not all code has to run in all
places.

Wednesday, October 23, 13

Locking down client
code
Tool #1: Not all code has to run in all
places.
Meteor.isServer / Meteor.isClient
server/ directory

Wednesday, October 23, 13

Locking down client
code
Tool #2: Client can use database API
freely by default, but it can be locked
down after prototyping.

Wednesday, October 23, 13

Locking down client
code
Tool #2: Client can use database API
freely by default, but it can be locked
down after prototyping.
(demo)

Wednesday, October 23, 13

Locking down client
code
Tool #3: RPCs

Wednesday, October 23, 13

Locking down client
code
Tool #3: RPCs

(demo)

Wednesday, October 23, 13

Mongo injections and
prevention
(demo)

Wednesday, October 23, 13

Mongo injections and
prevention
meteor add audit-argument-checks

Wednesday, October 23, 13

Browser policy
meteor add browser-policy
Conﬁgure X-Frame-Options and
Content-Security-Policy HTTP headers.

Wednesday, October 23, 13

Browser policy
X-Frame-Options: SAMEORIGIN
“Browser, only let my site be framed by web pages
on the same origin as my site.”
Prevents clickjacking attacks.

Wednesday, October 23, 13

Browser policy
Content-Security-Policy: defaultsrc ‘none’; script-src ‘self’
https://mycdn.com ‘unsafe-inline’;
img-src ‘self’ https://mycdn.com;
“Browser, only let my site run code and load images
from my server and mycdn.com, and also allow inline
scripts on my site.”

Wednesday, October 23, 13

Browser policy
Because headers are a pain to conﬁgure by
hand:
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.allowEval();
BrowserPolicy.content.disallowObject();
BrowserPolicy.framing.disallow();

Wednesday, October 23, 13

Browser policy
More to come in browser-policy:

•
•
•

CSP reporting?
Framebusting code?
Use Meteor templating system to enforce
policies that CSP does not?

Wednesday, October 23, 13

Conclusion
•

Modern Javascript apps are new web security
territory.

•

Tools in Meteor for locking down client
code, preventing database attacks, conﬁguring
new browser security features.

Wednesday, October 23, 13

Questions?

emily@meteor.com
@estark37

Wednesday, October 23, 13

Contenu connexe

Tendances

Mule security pgp with Example

D.Rajesh Kumar

Tsc summit #2 - HTTP Header Security

Mikal Villa

Preventing XSS with Content Security Policy

Ksenia Peguero

How vulnerable are your systems after the first line of defense? Do attackers get a stronger foothold after each compromise? How valuable is the data your systems can leak? “Death Star” security describes a system that relies entirely on an outermost security layer and fails catastrophically when breached. As services multiply, they shouldn’t all run in a single, trusted virtual private cloud. Sharing secrets doesn’t scale either, as systems multiply and partners integrate with your product and users. David Strauss explores security methods strong enough to cross the public Internet, flexible enough to allow new services without altering existing systems, and robust enough to avoid single points of failure. David covers the basics of public key infrastructure (PKI), explaining how PKI uniquely supports security and high availability, and demonstrates how to deploy mutual authentication and encryption across a heterogeneous infrastructure, use capability-based security, and use federated identity to provide a uniform frontend experience while still avoiding monolithic backends. David also explores JSON Web Tokens as a solution to session woes, distributing user data and trust without sharing backend persistence. A good written summary of the key talking points: https://www.infoq.com/news/2016/04/oreilysacon-day-one

Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...

David Timothy Strauss

Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere. This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.

Integrity protection for third-party JavaScript

Francois Marier

Network Security and Cryptography.pdf

AdityaKumar1548

Black magic of web attacks Detection and Prevention

Nazar Tymoshyk, CEH, Ph.D.

Mule security - pgp

himajareddys

6 ways to hack your JavaScript application by Viktor Turskyi

OdessaJS Conf

Content Security Policy - The application security Swiss Army Knife

Scott Helme

SMIMP Lightning Talk - DEFCON CryptoVillage

Adam Caudill

Mule security - pgp

charan teja R

Securing the Web @DevDay Da Nang 2018

Sumanth Damarla

[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...

DevDay.org

How to avoid connection pool deadlock

Stephan van Hoof

Pgp security mule

Sindhu VL

JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение

JSFestUA

Out-of-band SQL Injection Attacks (#cypsec'17)

Ömer Çıtak

ASP.NET View State - Security Issues

Ronan Dunne, CEH, SSCP

W3C Content Security Policy

Markus Wichmann

Tendances (20)

Mule security pgp with Example

Tsc summit #2 - HTTP Header Security

Preventing XSS with Content Security Policy

Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...

Integrity protection for third-party JavaScript

Network Security and Cryptography.pdf

Black magic of web attacks Detection and Prevention

Mule security - pgp

6 ways to hack your JavaScript application by Viktor Turskyi

Content Security Policy - The application security Swiss Army Knife

SMIMP Lightning Talk - DEFCON CryptoVillage

Mule security - pgp

Securing the Web @DevDay Da Nang 2018

[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...

How to avoid connection pool deadlock

Pgp security mule

JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение

Out-of-band SQL Injection Attacks (#cypsec'17)

ASP.NET View State - Security Issues

W3C Content Security Policy

Similaire à Web security at Meteor (Pivotal Labs)

Exploring the Possibilities of Sencha and WebRTC

Grgur Grisogono

Flapjack flapjack-project.com setzt auf etablierten Monitoring Systemen auf und ermöglicht es, diese zu einem hoch skalierbaren Gesamtsystem aufzubauen. Flapjack verarbeitet Monitoringergebnisse zu Benachrichtigungen. Damit werden Überwachung und Benachrichtigung entkoppelt. Beispielsweise kann ein Mix aus verschiedenen Nagios-, Icinga- und Sensu-Instanzen checks ausführen und die Ergebnisse an Flapjack zur Verarbeitung weitergeben. Flapjack generiert daraus die Benachrichtigungen, die anschließend via PagerDuty, XMPP, E-Mail oder SMS zugestellt werden. Die Funktionalität von Flapjack steht dank der API für andere Komponenten zur Verfügung. Der Vortrag gibt Einblick in Motivation, Historie, Hintergründe und technischen Aufbau der Software.

OSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt

NETWAYS

Introduction to Cloud Computing

Chathuranga Bandara

CohesiveFT: Get started with public cloud It's time to explore the public cloud. Get familiar with Amazon's AWS EC2 compute and S3 storage. Demo and guides will prep you to do big things with hosting for your websites and apps! Part 2 Hands On: After covering the basics of cloud and virtualization, we'll dive into AWS terminology and getting set up, then we'll all find an image and launch our own AWS instance. Additional information includes VPC vs. VNS3 features, real cloud use cases, and further reading. Hosted by: Ryan Koop, Director of Product Marketing

CIW Lab with CoheisveFT: Get started in public cloud - Part 2 Hands On

Cohesive Networks

CohesiveFT: Get started with public cloud It's time to explore the public cloud. Get familiar with Amazon's AWS EC2 compute and S3 storage. Demo and guides will prep you to do big things with hosting for your websites and apps! Part 1 Cloud & Virtualization: Welcome! We'll run through the basics of public vs. private cloud, the cloud marketplace, and why we picked AWS to demonstrate Hosted by: Margaret Walker, Marketing Specialist

CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...

Cohesive Networks

IT infrastructure rigidity has emerged as one of the leading barriers to achieving the cost efficiency and operational agility required to drive growth. While public cloud such as Amazon Web Services and Rackspace provide this agility, many organizations are precluded from utilizing them due to regulatory, security, performance, and/or existing investments. For these organizations to realize these agility benefits, they must transform their private infrastructures to embrace public cloud principles. During this session, we will explore cloud system architecture principles and best practices. Using the Apache CloudStack cloud orchestration platform and Basho’s Riak CS object store, a complete, open source private cloud will be realized that creates the operational agility and cost-reduction benefits of public clouds.

Building Complete Private Clouds with Apache CloudStack and Riak CS

John Burwell

منصة شليلة

ssuser81f53f

Android Security & Penetration Testing

Subho Halder

The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.

Using Proxies To Secure Applications And More

Josh Sokol

Mojo.js is a JavaScript framework for building Single Page Applications, or static websites in Node.js. It's inspired by Angular.js, Derby.js, Knockout.js, Meteor.js, Ember.js, jQuery, Backbone.js, and many other JavaScript, and non-JavaScript frameworks. Much of the design was inspired by Backbone.js, and Node.js. The core is small, while third-party modules allow you to customize Mojo depending on your requirements. Mojo was built initially to phase out old code, and itself - hence the modularity. The philosophy behind Mojo is to allow you to build on top of your old code base, and slowly strangle out your old application until you have a new, highly maintainable application.

Mojo+presentation+1

Craig Condon

Practice makes perfect. That works in every field. But in the frontend development domain it's crucial to choose and invest your time on the right techniques, tools, libraries, frameworks, as well as methodologies if you want to incur the least amount of overhead. In this talk the speaker takes you through a productive tooling, libraries, frameworks eco-system required to develop modern and robust Web applications easier.

Become a Frontend Developer Ninja using HTML5, JavaScript and CSS3 - Marco Ca...

Codemotion

Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...

Greg Hamer

Continuous Delivery for the Web Platform

Jarrod Overson

Can we trust our processors, routers and other electronic IP components? This important question is often left unanswered. Due to the high production complexity and costs of very-large-scale integration (VLSI) resulting from contemporary transistor designs, the majority of regular users have little to no choice when selecting hardware components and even lower a possibility of validating them. Consequently, many of us are forced to depend on the honesty of big corporations and the assumption that if we apply a commonly used component from a known provider sooner or later someone will find such a threat for us. However, this does not negate the technical feasibility of hardware attacks, proved by research results, neither confirms that our hardware is thoroughly tested e.g. Meltdown and Spectre bugs in Intel CPUs. Moreover, recent scandals, for instance Snowden’s affair, has shown that there are organizations and institutions capable of enormous efforts to compromise the security. The goal of the presentation is to familiarize the audience with current research results on so-called ‘hardware trojan’, understood as intentional manipulations of integrated circuits (ICs) that weaken or compromise the security of the systems.

CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)

PROIDEA

Java scriptarchitektur

Sebastian Springer

JavaScript Architektur

Sebastian Springer

Web Performance Optimization @Develer

Massimo Iacolare

Simplified Security Code Review Process

Sherif Koussa

SQL Injection and Clickjacking Attack in Web security

Moutasm Tamimi

Owasp Top 10 - Owasp Pune Chapter - January 2008

abhijitapatil

Similaire à Web security at Meteor (Pivotal Labs) (20)

Exploring the Possibilities of Sencha and WebRTC

OSMC 2013 | Flapjack - monitoring notification system by Birger Schmidt

Introduction to Cloud Computing

CIW Lab with CoheisveFT: Get started in public cloud - Part 2 Hands On

CIW Lab with CoheisveFT: Get started in public cloud - Part 1 Cloud & Virtual...

Building Complete Private Clouds with Apache CloudStack and Riak CS

منصة شليلة

Android Security & Penetration Testing

Using Proxies To Secure Applications And More

Mojo+presentation+1

Become a Frontend Developer Ninja using HTML5, JavaScript and CSS3 - Marco Ca...

Trust in Every Byte - Securing Edge Workflows with Fastly Compute [Cloud Nati...

Continuous Delivery for the Web Platform

CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)

Java scriptarchitektur

JavaScript Architektur

Web Performance Optimization @Develer

Simplified Security Code Review Process

SQL Injection and Clickjacking Attack in Web security

Owasp Top 10 - Owasp Pune Chapter - January 2008

Dernier

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

How to convert PDF to text with Nanonets

naman860154

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Delhi Call girls

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Advantages of Hiring UIUX Design Service Providers for Your Business

Pixlogix Infotech

Tata AIG General Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)

How to convert PDF to text with Nanonets

Scaling API-first – The story of a global engineering organization

Boost Fertility New Invention Ups Success Rates.pdf

A Year of the Servo Reboot: Where Are We Now?

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

How to Troubleshoot Apps for the Modern Connected Worker

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

A Domino Admins Adventures (Engage 2024)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

Presentation on how to chat with PDF using ChatGPT code interpreter

Boost PC performance: How more available memory can improve productivity

Advantages of Hiring UIUX Design Service Providers for Your Business

Tata AIG General Insurance Company - Insurer Innovation Award 2024

🐬 The future of MySQL is Postgres 🐘

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Axa Assurance Maroc - Insurer Innovation Award 2024

Data Cloud, More than a CDP by Matt Robison

Web security at Meteor (Pivotal Labs)

1. Web security at Meteor Emily Stark, core developer Wednesday, October 23, 13

2. Meteor is a full-stack Javascript framework for quickly building quality web apps. Wednesday, October 23, 13

3. Demo Wednesday, October 23, 13

4. Outline • Security in modern Javascript apps • Security tools in Meteor • allow/deny rules and methods • MongoDB injections and check • browser-policy Wednesday, October 23, 13

5. Security in modern Javascript apps Wednesday, October 23, 13

6. Auth in modern Javascript apps Client-side rendering and long-lived connections Are cookies the best choice? Wednesday, October 23, 13

7. Client code in modern Javascript apps Shared code on client and server But client code isn’t trusted Wednesday, October 23, 13

8. Databases in modern Javascript apps Document-oriented database (e.g. MongoDB) Not as battle-hardened as more established SQL databases Wednesday, October 23, 13

9. Security tools in Meteor Wednesday, October 23, 13

10. Locking down client code Tool #1: Not all code has to run in all places. Wednesday, October 23, 13

11. Locking down client code Tool #1: Not all code has to run in all places. Meteor.isServer / Meteor.isClient server/ directory Wednesday, October 23, 13

12. Locking down client code Tool #2: Client can use database API freely by default, but it can be locked down after prototyping. Wednesday, October 23, 13

13. Locking down client code Tool #2: Client can use database API freely by default, but it can be locked down after prototyping. (demo) Wednesday, October 23, 13

14. Locking down client code Tool #3: RPCs Wednesday, October 23, 13

15. Locking down client code Tool #3: RPCs (demo) Wednesday, October 23, 13

16. Mongo injections and prevention (demo) Wednesday, October 23, 13

17. Mongo injections and prevention check(usernames, [String]); check(age, Match.OneOf(String, Number)); check(profile, { admin: Boolean, location: Match.Optional(String) }); Wednesday, October 23, 13

18. Mongo injections and prevention meteor add audit-argument-checks Wednesday, October 23, 13

19. Browser policy meteor add browser-policy Conﬁgure X-Frame-Options and Content-Security-Policy HTTP headers. Wednesday, October 23, 13

20. Browser policy X-Frame-Options: SAMEORIGIN “Browser, only let my site be framed by web pages on the same origin as my site.” Prevents clickjacking attacks. Wednesday, October 23, 13

21. Browser policy Content-Security-Policy: defaultsrc ‘none’; script-src ‘self’ https://mycdn.com ‘unsafe-inline’; img-src ‘self’ https://mycdn.com; “Browser, only let my site run code and load images from my server and mycdn.com, and also allow inline scripts on my site.” Wednesday, October 23, 13

22. Browser policy Because headers are a pain to conﬁgure by hand: BrowserPolicy.content.disallowInlineScripts(); BrowserPolicy.content.allowEval(); BrowserPolicy.content.disallowObject(); BrowserPolicy.framing.disallow(); Wednesday, October 23, 13

23. Browser policy More to come in browser-policy: • • • CSP reporting? Framebusting code? Use Meteor templating system to enforce policies that CSP does not? Wednesday, October 23, 13

24. Conclusion • Modern Javascript apps are new web security territory. • Tools in Meteor for locking down client code, preventing database attacks, conﬁguring new browser security features. Wednesday, October 23, 13

25. Questions? emily@meteor.com @estark37 Wednesday, October 23, 13

Web security at Meteor (Pivotal Labs)

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Web security at Meteor (Pivotal Labs)

Similaire à Web security at Meteor (Pivotal Labs) (20)

Dernier

Dernier (20)

Web security at Meteor (Pivotal Labs)