Web security at Meteor
Emily Stark, core developer

Wednesday, October 23, 13
Meteor is a full-stack
Javascript framework
for quickly building
quality web apps.
Wednesday, October 23, 13
Demo

Wednesday, October 23, 13
Outline
• Security in modern Javascript apps
• Security tools in Meteor
• allow/deny rules and methods
• MongoDB injection...
Security in modern
Javascript apps

Wednesday, October 23, 13
Auth in modern
Javascript apps
Client-side rendering and long-lived
connections
Are cookies the best choice?

Wednesday, O...
Client code in modern
Javascript apps
Shared code on client and server
But client code isn’t trusted

Wednesday, October 2...
Databases in modern
Javascript apps
Document-oriented database (e.g.
MongoDB)
Not as battle-hardened as more established
S...
Security tools in
Meteor

Wednesday, October 23, 13
Locking down client
code
Tool #1: Not all code has to run in all
places.

Wednesday, October 23, 13
Locking down client
code
Tool #1: Not all code has to run in all
places.
Meteor.isServer / Meteor.isClient
server/ directo...
Locking down client
code
Tool #2: Client can use database API
freely by default, but it can be locked
down after prototypi...
Locking down client
code
Tool #2: Client can use database API
freely by default, but it can be locked
down after prototypi...
Locking down client
code
Tool #3: RPCs

Wednesday, October 23, 13
Locking down client
code
Tool #3: RPCs

(demo)

Wednesday, October 23, 13
Mongo injections and
prevention
(demo)

Wednesday, October 23, 13
Mongo injections and
prevention
check(usernames, [String]);
check(age, Match.OneOf(String, Number));
check(profile, {
admi...
Mongo injections and
prevention
meteor add audit-argument-checks

Wednesday, October 23, 13
Browser policy
meteor add browser-policy
Configure X-Frame-Options and
Content-Security-Policy HTTP headers.

Wednesday, Oc...
Browser policy
X-Frame-Options: SAMEORIGIN
“Browser, only let my site be framed by web pages
on the same origin as my site...
Browser policy
Content-Security-Policy: defaultsrc ‘none’; script-src ‘self’
https://mycdn.com ‘unsafe-inline’;
img-src ‘s...
Browser policy
Because headers are a pain to configure by
hand:
BrowserPolicy.content.disallowInlineScripts();
BrowserPolic...
Browser policy
More to come in browser-policy:

•
•
•

CSP reporting?
Framebusting code?
Use Meteor templating system to e...
Conclusion
•

Modern Javascript apps are new web security
territory.

•

Tools in Meteor for locking down client
code, pre...
Questions?

emily@meteor.com
@estark37

Wednesday, October 23, 13
Upcoming SlideShare
Loading in …5
×

Web security at Meteor (Pivotal Labs)

3,057 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,057
On SlideShare
0
From Embeds
0
Number of Embeds
394
Actions
Shares
0
Downloads
17
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Web security at Meteor (Pivotal Labs)

  1. 1. Web security at Meteor Emily Stark, core developer Wednesday, October 23, 13
  2. 2. Meteor is a full-stack Javascript framework for quickly building quality web apps. Wednesday, October 23, 13
  3. 3. Demo Wednesday, October 23, 13
  4. 4. Outline • Security in modern Javascript apps • Security tools in Meteor • allow/deny rules and methods • MongoDB injections and check • browser-policy Wednesday, October 23, 13
  5. 5. Security in modern Javascript apps Wednesday, October 23, 13
  6. 6. Auth in modern Javascript apps Client-side rendering and long-lived connections Are cookies the best choice? Wednesday, October 23, 13
  7. 7. Client code in modern Javascript apps Shared code on client and server But client code isn’t trusted Wednesday, October 23, 13
  8. 8. Databases in modern Javascript apps Document-oriented database (e.g. MongoDB) Not as battle-hardened as more established SQL databases Wednesday, October 23, 13
  9. 9. Security tools in Meteor Wednesday, October 23, 13
  10. 10. Locking down client code Tool #1: Not all code has to run in all places. Wednesday, October 23, 13
  11. 11. Locking down client code Tool #1: Not all code has to run in all places. Meteor.isServer / Meteor.isClient server/ directory Wednesday, October 23, 13
  12. 12. Locking down client code Tool #2: Client can use database API freely by default, but it can be locked down after prototyping. Wednesday, October 23, 13
  13. 13. Locking down client code Tool #2: Client can use database API freely by default, but it can be locked down after prototyping. (demo) Wednesday, October 23, 13
  14. 14. Locking down client code Tool #3: RPCs Wednesday, October 23, 13
  15. 15. Locking down client code Tool #3: RPCs (demo) Wednesday, October 23, 13
  16. 16. Mongo injections and prevention (demo) Wednesday, October 23, 13
  17. 17. Mongo injections and prevention check(usernames, [String]); check(age, Match.OneOf(String, Number)); check(profile, { admin: Boolean, location: Match.Optional(String) }); Wednesday, October 23, 13
  18. 18. Mongo injections and prevention meteor add audit-argument-checks Wednesday, October 23, 13
  19. 19. Browser policy meteor add browser-policy Configure X-Frame-Options and Content-Security-Policy HTTP headers. Wednesday, October 23, 13
  20. 20. Browser policy X-Frame-Options: SAMEORIGIN “Browser, only let my site be framed by web pages on the same origin as my site.” Prevents clickjacking attacks. Wednesday, October 23, 13
  21. 21. Browser policy Content-Security-Policy: defaultsrc ‘none’; script-src ‘self’ https://mycdn.com ‘unsafe-inline’; img-src ‘self’ https://mycdn.com; “Browser, only let my site run code and load images from my server and mycdn.com, and also allow inline scripts on my site.” Wednesday, October 23, 13
  22. 22. Browser policy Because headers are a pain to configure by hand: BrowserPolicy.content.disallowInlineScripts(); BrowserPolicy.content.allowEval(); BrowserPolicy.content.disallowObject(); BrowserPolicy.framing.disallow(); Wednesday, October 23, 13
  23. 23. Browser policy More to come in browser-policy: • • • CSP reporting? Framebusting code? Use Meteor templating system to enforce policies that CSP does not? Wednesday, October 23, 13
  24. 24. Conclusion • Modern Javascript apps are new web security territory. • Tools in Meteor for locking down client code, preventing database attacks, configuring new browser security features. Wednesday, October 23, 13
  25. 25. Questions? emily@meteor.com @estark37 Wednesday, October 23, 13

×