Meteor Cheatsheet Security

meteor-cheat-sheet

// Meteor - Security:

By adding browser policies to our app, we adds extra security.  It tells the browser 
which domains are trusted to run scripts on your site, along with some other things.

meteor add browser-policy

BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.disallowEval();
BrowserPolicy.content.allowInlineStyles();
BrowserPolicy.content.allowFontDataUrl();

// Change these to whatever services your app needs access to
trusted = [
  '*.google-analytics.com', 
  '*.googleapis.com', 
  '*.gstatic.com', 
  '*.stripe.com', 
  '*.facebook.com', 
  '*.akamaihd.net', 
  '*.github.com', 
  '*.disquscdn.com', 
  '*.cloudfront.net'
];

_.each(trusted, function(origin) {
  return BrowserPolicy.content.allowOriginForAll(origin);
});

The content of my imports/server/policy.js:

BrowserPolicy.framing.disallow();
BrowserPolicy.content.disallowInlineScripts();
BrowserPolicy.content.disallowEval();
BrowserPolicy.content.allowInlineStyles();
BrowserPolicy.content.allowFontDataUrl();

BrowserPolicy.content.disallowConnect();

var trusted = [
  '*.google-analytics.com'
];

_.each(trusted, function(origin) {
  origin = "https://" + origin;
  BrowserPolicy.content.allowOriginForAll(origin);
});

// The disallowConnect statement will prevent us from using Meteor’s DDP connection, 
// so we should also add the following rules:
var rootUrl = __meteor_runtime_config__.ROOT_URL;
BrowserPolicy.content.allowConnectOrigin(rootUrl);
BrowserPolicy.content.allowConnectOrigin(rootUrl.replace('http', 'ws'));

I import this file into my server/main.js:

import '../imports/server/policy.js';
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License