From 36eb5dab5add6a1d41d5d276427b0eb04f156c37 Mon Sep 17 00:00:00 2001 From: jamauro Date: Fri, 20 Jan 2023 09:54:15 -0600 Subject: [PATCH] Update security.md Proposing to clarify what is and isn't included in the client bundle when importing `/server` code and using `this.isSimulation` or `Meteor.isServer` --- guide/source/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guide/source/security.md b/guide/source/security.md index cde16b74e0..b824ea2ca5 100644 --- a/guide/source/security.md +++ b/guide/source/security.md @@ -365,7 +365,7 @@ Meteor.users.methods.updateMMR = new ValidatedMethod({ }); ``` -Note that while the Method is defined on the client, the actual secret logic is only accessible from the server. Keep in mind that code inside `if (Meteor.isServer)` blocks is still sent to the client, it is just not executed. So don't put any secret code in there. +Note that while the Method is defined on the client, the actual secret logic is only accessible from the server and the code will **not** be included in the client bundle. Keep in mind that code inside `if (Meteor.isServer)` and `if (!this.isSimulation)` blocks is still sent to the client, it is just not executed. So don't put any secret code in there. Secret API keys should never be stored in your source code at all, the next section will talk about how to handle them.