Your SlideShare is downloading. ×
0
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Web security at Meteor (Pivotal Labs)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web security at Meteor (Pivotal Labs)

1,975

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,975
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Web security at Meteor Emily Stark, core developer Wednesday, October 23, 13
  • 2. Meteor is a full-stack Javascript framework for quickly building quality web apps. Wednesday, October 23, 13
  • 3. Demo Wednesday, October 23, 13
  • 4. Outline • Security in modern Javascript apps • Security tools in Meteor • allow/deny rules and methods • MongoDB injections and check • browser-policy Wednesday, October 23, 13
  • 5. Security in modern Javascript apps Wednesday, October 23, 13
  • 6. Auth in modern Javascript apps Client-side rendering and long-lived connections Are cookies the best choice? Wednesday, October 23, 13
  • 7. Client code in modern Javascript apps Shared code on client and server But client code isn’t trusted Wednesday, October 23, 13
  • 8. Databases in modern Javascript apps Document-oriented database (e.g. MongoDB) Not as battle-hardened as more established SQL databases Wednesday, October 23, 13
  • 9. Security tools in Meteor Wednesday, October 23, 13
  • 10. Locking down client code Tool #1: Not all code has to run in all places. Wednesday, October 23, 13
  • 11. Locking down client code Tool #1: Not all code has to run in all places. Meteor.isServer / Meteor.isClient server/ directory Wednesday, October 23, 13
  • 12. Locking down client code Tool #2: Client can use database API freely by default, but it can be locked down after prototyping. Wednesday, October 23, 13
  • 13. Locking down client code Tool #2: Client can use database API freely by default, but it can be locked down after prototyping. (demo) Wednesday, October 23, 13
  • 14. Locking down client code Tool #3: RPCs Wednesday, October 23, 13
  • 15. Locking down client code Tool #3: RPCs (demo) Wednesday, October 23, 13
  • 16. Mongo injections and prevention (demo) Wednesday, October 23, 13
  • 17. Mongo injections and prevention check(usernames, [String]); check(age, Match.OneOf(String, Number)); check(profile, { admin: Boolean, location: Match.Optional(String) }); Wednesday, October 23, 13
  • 18. Mongo injections and prevention meteor add audit-argument-checks Wednesday, October 23, 13
  • 19. Browser policy meteor add browser-policy Configure X-Frame-Options and Content-Security-Policy HTTP headers. Wednesday, October 23, 13
  • 20. Browser policy X-Frame-Options: SAMEORIGIN “Browser, only let my site be framed by web pages on the same origin as my site.” Prevents clickjacking attacks. Wednesday, October 23, 13
  • 21. Browser policy Content-Security-Policy: defaultsrc ‘none’; script-src ‘self’ https://mycdn.com ‘unsafe-inline’; img-src ‘self’ https://mycdn.com; “Browser, only let my site run code and load images from my server and mycdn.com, and also allow inline scripts on my site.” Wednesday, October 23, 13
  • 22. Browser policy Because headers are a pain to configure by hand: BrowserPolicy.content.disallowInlineScripts(); BrowserPolicy.content.allowEval(); BrowserPolicy.content.disallowObject(); BrowserPolicy.framing.disallow(); Wednesday, October 23, 13
  • 23. Browser policy More to come in browser-policy: • • • CSP reporting? Framebusting code? Use Meteor templating system to enforce policies that CSP does not? Wednesday, October 23, 13
  • 24. Conclusion • Modern Javascript apps are new web security territory. • Tools in Meteor for locking down client code, preventing database attacks, configuring new browser security features. Wednesday, October 23, 13
  • 25. Questions? emily@meteor.com @estark37 Wednesday, October 23, 13

×