Security Checklist

• [ ] The insecure or autopublish modes are not used
• [ ] API keys, secrets, and credentials are not in the code base, client- and server-side code can be shared
• [ ] API keys, secrets, and credentials are not in the Meteor.settings object
• [ ] API keys, secrets, and credentials of the app are not in the public Mongo collections
• [ ] Meteor Iron has implemented authentication and authorization mechanisms. Look for Router\\.route\\(.
• [ ] Collections cannot be updated from the client-side, look for \\.allow\\( pattern within code base
• [ ] Collections which defined allow rule, have deny rule for rest of the actions.
• [ ] The application denies all updates to user profile, look for Meteor\\.users\\.deny\\( within code base
• [ ] The user IDs are not user controllable in the arguments of Meteor methods and publications, they should validate the the user’s id from this instruction only: this\\.userId
• [ ] The user IDs are not user controllable by hijacking the Meteor session userId, they should validate a user’s id from this instruction only: this\\.userId
• [ ] The Meteor publications had implemented authorization access control in the returned query and not within the publication function.
• [ ] Selectors and filter fields are applied in publications before returning the data.
• [ ] The application does not allow executing arbitrary NoSQL selectors coming from client-side, as a best practice they should not be user controlled at all.
• [ ] The raw HTML inclusion is not used in Blaze, look for triple mustache: {{{
• [ ] Set up secure HTTP headers using Helmet, not all browsers support it so it provides an extra layer of security to users with modern browsers.

Security Review

Getting started

Setup