Auditing Meteor Applications

What’s included?

We at “Just Meteor” review / audit Meteor projects and code on a daily basis.

We’ve worked with a bunch of different clients in the course of the last year and saw the same problems over and over again.

We thought: „Hey let’s gather this information as an internal guide“ so that we have a solid checklist which can be used when we start our work with a new client.

But why should we keep this guide internally?

We’ve extended the guide with information, updated and optimized it so that everyone can use it to audit their own Meteor applications / projects.

The first thing we’ll discuss are some general thoughts about the work with Meteor (“Should I use Blaze, React.js or Angular?”, “Should I use iron router or flow router?”).

Next up we look at what’s important when working with a team on a Meteor project.

Best practices and advice in scaling and performance are shown so you can unleash the full potential of your Meteor application.

Deployment is another important thing to get right when working on larger projects. We’ll discuss different environments and how you can setup your own server to run your Meteor app.

An in depth analysis about Meteor security and it’s common pitfalls will make sure that your application is protected against the evil ones.

The last chapter sheds some light on packages. What’s important to understand about packages and Meteor? How do you know which package you should choose?

The end of the book contains a large checklist you can print out to audit your own Meteor application.

Table of contents

Here’s the full table of contents:

1. Introduction

- About this book

- About the author

- How should I read this book

- Feedback / Resources

- You rock

2. A note about opinions

3. General

- Modern JavaScript

- Using libraries

- JavaScript pitfalls

- Blaze, React or Angular?

- Iron router or flow router

- Should I use TDD?

- Directory structure

- Good .gitignore file

- DOM element selection

- Choices

- Transpilers

- Denormalization vs. Normalization

4. Working in a team

- Revision control

- Onboarding developers

- Versioning

- Conventions

- Linters

- Indentation

- The power of TODO comments

- console.log statements

- Comments

- Uncommenting code

- Descriptive naming

- Code collaboration tools

5. Scaling & performance

- Data center location

- MongoDB oplog tailing

- Indexes

- Sticky sessions

- The cluster package

- Finding bottlenecks

- Reduce server load

- Autopublishing

- Overpublishing

- Paginating data

- Publishing needed fields

- Joining packages

- Observers

- Subscriptions manager

- Fast render

- Meteor.defer()

- this.unblock()

- CDN

6. Deployments

- Using Meteor Up

- Different environments

7. Security

- Autopublish and insecure

- Overpublishing data

- Client side data manipulation vs. Methods

- The check package

- The audit-argument-checks package

- The browser-policy package

- The users profile field

- Using Meteor.userId()

- Settings.json

- Meteors special directories

- Using eval

- Package versions

- SSL

- Raw HTML rendering

- Redirecting and security

8. Packages

- Picking a package

- NPM vs. Meteor packages

- Packages only structure

- Updating packages

- Serving private packages

- Number of packages

- Pro tip: Faster package searches with Fastosphere

9. The checklist

10. Just Meteor audit

11. Disclaimer

12. Changelog