Since I’m new to the Ember concept, one thing that I’m a bit concerned about is the security aspect. I am using ember-cli and ember-data with a private app that I plan to deploy on the cloud. A few the concerns that I have is that:
- The whole app is in 1 js file with all your ember data model objects giving a fairly decent idea about how your back end is structured.
- The output of dist in ember-cli doesn’t necessarily appear to be very obfuscated.
- Ember Data itself and the Ember Framework is extremely powerful, yet designed in such a way that the front end app basically contains all the business logic in it and makes REST Calls to a back end that basically just provides CRUD rest endpoints. The problem I feel is that if somebody get’s a hold of your .js file, they seem to have access to all your Entity Relationship model as well as all your business logic in that 1 JS file.
To mitigate my concern, I’m including my ember-cli app inside of a rails app so that it is secured by authentication, authorization and the CSRF Token.
I would like to understand if my above concern is valid, and also what others are doing to mitigate these risks when writing a private app with ember where you don’t necessarily want a user to really be able to understand and have easy access to your ER Model and Biz logic just by looking at your .JS file.
Ember seems to be very mature and highly used, so I’m sure that the concern I have is more of a Newbie concern, but yet I would appreciate some insight into this.