meteor ddp connection security and https

Question

I have 3 meteor applications on three different servers. One of them has all the data the 2 others use. I am using ddp.connect().

So the three applications are working just fine, but my concern now is security. I have read about DDP after thinking about security and I didn't find any security options for it. It just allows anyone to connect to the server and get the data using this protocol. How do I prevent this while allowing the 2 others to connect ?

The other thing is that it uses http requests (post, get), but my apps are now over https and I want to make ddp requests to be over https is that possible ?

I feel like I'm missing something pretty obvious but I can't find it from google.

score 1 · Answer 1 · answered Aug 18 '16 at 19:42

1

Your DDP server clients, servers 2 and 3, are no -- or barely -- different from regular web browser clients. All the security you would need to put in place to disallow web clients from doing unwanted stuff (e.g., allow/deny, conditional publications, credential checking in method calls, etc.) can be used for server-to-server connections as well.

DDP should be using websocket, not HTTP (even if the connection URL is specified with http). If you change that URL to be https:// then the DDP communication should be routed over "websocket secure" (wss://).

answered Aug 18 '16 at 19:42

Christian Fritz

20,641
3
42
71

I used `https` in ddp but I wasn't sure it would mean it will use websocket secure . – mohRamadan Aug 19 '16 at 02:06
you may want to double check, but I would expect that to happen. – Christian Fritz Aug 19 '16 at 02:44

meteor ddp connection security and https

1 Answers1