web security at meteor (pivotal labs)
TRANSCRIPT
Web security at Meteor
Emily Stark, core developer
Wednesday, October 23, 13
Meteor is a full-stack Javascript framework for quickly building quality web apps.
Wednesday, October 23, 13
Demo
Wednesday, October 23, 13
Outline
• Security in modern Javascript apps
• Security tools in Meteor
• allow/deny rules and methods
• MongoDB injections and check
• browser-policy
Wednesday, October 23, 13
Security in modern Javascript apps
Wednesday, October 23, 13
Auth in modern Javascript apps
Client-side rendering and long-lived connections
Are cookies the best choice?
Wednesday, October 23, 13
Client code in modern Javascript apps
Shared code on client and server
But client code isn’t trusted
Wednesday, October 23, 13
Databases in modern Javascript apps
Document-oriented database (e.g. MongoDB)
Not as battle-hardened as more established SQL databases
Wednesday, October 23, 13
Security tools in Meteor
Wednesday, October 23, 13
Locking down client code
Tool #1: Not all code has to run in all places.
Wednesday, October 23, 13
Locking down client code
Tool #1: Not all code has to run in all places.
Meteor.isServer / Meteor.isClient
server/ directory
Wednesday, October 23, 13
Locking down client code
Tool #2: Client can use database API freely by default, but it can be locked
down after prototyping.
Wednesday, October 23, 13
Locking down client code
Tool #2: Client can use database API freely by default, but it can be locked
down after prototyping.
(demo)
Wednesday, October 23, 13
Locking down client code
Tool #3: RPCs
Wednesday, October 23, 13
Locking down client code
Tool #3: RPCs
(demo)
Wednesday, October 23, 13
Mongo injections and prevention
(demo)
Wednesday, October 23, 13
Mongo injections and prevention
check(usernames, [String]);
check(age, Match.OneOf(String, Number));
check(profile, { admin: Boolean, location: Match.Optional(String)});
Wednesday, October 23, 13
Mongo injections and prevention
meteor add audit-argument-checks
Wednesday, October 23, 13
Browser policy
meteor add browser-policy
Configure X-Frame-Options and Content-Security-Policy HTTP headers.
Wednesday, October 23, 13
Browser policy
X-Frame-Options: SAMEORIGIN
“Browser, only let my site be framed by web pages on the same origin as my site.”
Prevents clickjacking attacks.
Wednesday, October 23, 13
Browser policy
Content-Security-Policy: default-src ‘none’; script-src ‘self’
https://mycdn.com ‘unsafe-inline’; img-src ‘self’ https://mycdn.com;
“Browser, only let my site run code and load images from my server and mycdn.com, and also allow inline
scripts on my site.”
Wednesday, October 23, 13
Browser policy
Because headers are a pain to configure by hand:
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.allowEval();
BrowserPolicy.content.disallowObject();
BrowserPolicy.framing.disallow();
Wednesday, October 23, 13
Browser policy
More to come in browser-policy:
• CSP reporting?
• Framebusting code?
• Use Meteor templating system to enforce policies that CSP does not?
Wednesday, October 23, 13
Conclusion
• Modern Javascript apps are new web security territory.
• Tools in Meteor for locking down client code, preventing database attacks, configuring new browser security features.
Wednesday, October 23, 13
Questions?
@estark37
Wednesday, October 23, 13