Fix Improper Assets Management in Meteor

Meteor's isomorphic architecture blurs the line between client and server. Improper Assets Management occurs when developers leak sensitive server-side credentials, internal metadata, or source maps into the client-side bundle. By misconfiguring 'Meteor.settings' or failing to isolate server-side logic, you effectively hand attackers a blueprint of your infrastructure and raw credentials via the browser console.

The Vulnerable Pattern

// settings.json - CRITICAL LEAK
{
  "public": {
    "STRIPE_SECRET_KEY": "sk_test_4eC39HqLyjWDarjtT1zdp7dc",
    "INTERNAL_MICROSERVICE_URL": "http://10.0.0.5:8080/api/v1",
    "DEBUG_MODE": true
  }
}
// client/main.js
// An attacker can simply run this in the DevTools console:
console.log(Meteor.settings.public.STRIPE_SECRET_KEY);

The Secure Implementation

The vulnerability stems from the 'public' property in Meteor's settings file, which is automatically pushed to the client-side bundle. To fix this, move all sensitive assets (API keys, internal URLs, database strings) to the root level of the settings object, which remains server-only. Additionally, ensure that any code containing business logic or sensitive algorithms is strictly placed within the '/server' or '/imports/server' directories to prevent it from being bundled into the 'web.browser' JS assets. Finally, ensure production builds have source maps disabled to prevent attackers from reconstructing your original source code from the minified assets.

// settings.json - SECURE SCOPING
{
  "STRIPE_SECRET_KEY": "sk_test_4eC39HqLyjWDarjtT1zdp7dc",
  "public": {
    "STRIPE_PUBLISHABLE_KEY": "pk_test_6pLR6mzP4nuPtmKCDNnnuatE"
  }
}
// server/methods.js
import { Meteor } from ‘meteor/meteor’;
// Secret is only accessible on the server
const stripe = require(‘stripe’)(Meteor.settings.STRIPE_SECRET_KEY);
// client/main.js
console.log(Meteor.settings.public.STRIPE_PUBLISHABLE_KEY); // Safe
console.log(Meteor.settings.STRIPE_SECRET_KEY); // Undefined on client