Meteor.js and CSRF/XSS Attacks

Question

Does the Meteor.js framework already handles measures against CSRF and XSS attacks? If not, what other precautions must we take into account?

Answer 1

Meteor's page rendering engine takes care of escaping special symbols when dealing with data bindings which saves from very basic XSS attacks. Also Meteor provides very easy to use APIs to control the browser policy (http://docs.meteor.com/#browserpolicy) such as framing options or content policy options.

It is worth mentioning the check and audit-argument-checks packages - those help you to validate user inputs based on their types to prevent MongoDB injections.

CSRF attacks are not possible in Meteor as the framework itself doesn't use cookies at all and prefers HTML5 localStorage which is much harder to spoof.

For advanced accounts permissions, checkout the meteor-roles package: https://atmospherejs.com/alanning/roles, you can implement all of that manually but the package is well maitained (although it is not part of the core).

See this page for more information: http://security-resources.meteor.com/.

In addition, Emily Stark, Meteor Core Dev spoke a lot about security in Meteor and how it helps you to get control over security in your app:

• Original talk at Meteor Devshop 6
• Lightning talk on Mongo injection she found
• A talk at Hack Reactor
• Meteor and Web Security talk at Pivotal Labs
• Security in single-paged apps talk at GitHub
• Why Meteor doesn't use session cookies