Web security at Meteor (Pivotal Labs)
-
Upload
emily-stark -
Category
Technology
-
view
1.925 -
download
0
Transcript of Web security at Meteor (Pivotal Labs)
![Page 1: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/1.jpg)
Web security at Meteor
Emily Stark, core developer
Wednesday, October 23, 13
![Page 2: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/2.jpg)
Meteor is a full-stack Javascript framework for quickly building quality web apps.
Wednesday, October 23, 13
![Page 3: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/3.jpg)
Demo
Wednesday, October 23, 13
![Page 4: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/4.jpg)
Outline
• Security in modern Javascript apps
• Security tools in Meteor
• allow/deny rules and methods
• MongoDB injections and check
• browser-policy
Wednesday, October 23, 13
![Page 5: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/5.jpg)
Security in modern Javascript apps
Wednesday, October 23, 13
![Page 6: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/6.jpg)
Auth in modern Javascript apps
Client-side rendering and long-lived connections
Are cookies the best choice?
Wednesday, October 23, 13
![Page 7: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/7.jpg)
Client code in modern Javascript apps
Shared code on client and server
But client code isn’t trusted
Wednesday, October 23, 13
![Page 8: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/8.jpg)
Databases in modern Javascript apps
Document-oriented database (e.g. MongoDB)
Not as battle-hardened as more established SQL databases
Wednesday, October 23, 13
![Page 9: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/9.jpg)
Security tools in Meteor
Wednesday, October 23, 13
![Page 10: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/10.jpg)
Locking down client code
Tool #1: Not all code has to run in all places.
Wednesday, October 23, 13
![Page 11: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/11.jpg)
Locking down client code
Tool #1: Not all code has to run in all places.
Meteor.isServer / Meteor.isClient
server/ directory
Wednesday, October 23, 13
![Page 12: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/12.jpg)
Locking down client code
Tool #2: Client can use database API freely by default, but it can be locked
down after prototyping.
Wednesday, October 23, 13
![Page 13: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/13.jpg)
Locking down client code
Tool #2: Client can use database API freely by default, but it can be locked
down after prototyping.
(demo)
Wednesday, October 23, 13
![Page 14: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/14.jpg)
Locking down client code
Tool #3: RPCs
Wednesday, October 23, 13
![Page 15: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/15.jpg)
Locking down client code
Tool #3: RPCs
(demo)
Wednesday, October 23, 13
![Page 16: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/16.jpg)
Mongo injections and prevention
(demo)
Wednesday, October 23, 13
![Page 17: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/17.jpg)
Mongo injections and prevention
check(usernames, [String]);
check(age, Match.OneOf(String, Number));
check(profile, { admin: Boolean, location: Match.Optional(String)});
Wednesday, October 23, 13
![Page 18: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/18.jpg)
Mongo injections and prevention
meteor add audit-argument-checks
Wednesday, October 23, 13
![Page 19: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/19.jpg)
Browser policy
meteor add browser-policy
Configure X-Frame-Options and Content-Security-Policy HTTP headers.
Wednesday, October 23, 13
![Page 20: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/20.jpg)
Browser policy
X-Frame-Options: SAMEORIGIN
“Browser, only let my site be framed by web pages on the same origin as my site.”
Prevents clickjacking attacks.
Wednesday, October 23, 13
![Page 21: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/21.jpg)
Browser policy
Content-Security-Policy: default-src ‘none’; script-src ‘self’
https://mycdn.com ‘unsafe-inline’; img-src ‘self’ https://mycdn.com;
“Browser, only let my site run code and load images from my server and mycdn.com, and also allow inline
scripts on my site.”
Wednesday, October 23, 13
![Page 22: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/22.jpg)
Browser policy
Because headers are a pain to configure by hand:
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.allowEval();
BrowserPolicy.content.disallowObject();
BrowserPolicy.framing.disallow();
Wednesday, October 23, 13
![Page 23: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/23.jpg)
Browser policy
More to come in browser-policy:
• CSP reporting?
• Framebusting code?
• Use Meteor templating system to enforce policies that CSP does not?
Wednesday, October 23, 13
![Page 24: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/24.jpg)
Conclusion
• Modern Javascript apps are new web security territory.
• Tools in Meteor for locking down client code, preventing database attacks, configuring new browser security features.
Wednesday, October 23, 13
![Page 25: Web security at Meteor (Pivotal Labs)](https://reader031.fdocuments.us/reader031/viewer/2022020207/554f8ea8b4c905435d8b4f68/html5/thumbnails/25.jpg)
Questions?
@estark37
Wednesday, October 23, 13