Does the Meteor.js framework already handles measures against CSRF and XSS attacks? If not, what other precautions must we take into account?
Meteor's page rendering engine takes care of escaping special symbols when dealing with data bindings which saves from very basic XSS attacks. Also Meteor provides very easy to use APIs to control the browser policy (http://docs.meteor.com/#browserpolicy) such as framing options or content policy options.
It is worth mentioning the check
and audit-argument-checks
packages - those help you to validate user inputs based on their types to prevent MongoDB injections.
CSRF attacks are not possible in Meteor as the framework itself doesn't use cookies at all and prefers HTML5 localStorage which is much harder to spoof.
For advanced accounts permissions, checkout the meteor-roles package: https://atmospherejs.com/alanning/roles, you can implement all of that manually but the package is well maitained (although it is not part of the core).
See this page for more information: http://security-resources.meteor.com/.
In addition, Emily Stark, Meteor Core Dev spoke a lot about security in Meteor and how it helps you to get control over security in your app:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With