incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Hess <seanh...@gmail.com>
Subject Re: Common security pattern?
Date Sun, 03 Jan 2010 16:52:15 GMT
I'm brand new at this, so I don't know the common way to solve this,
but I was thinking it should be possible to put it behind nginx or
apache, and simply return a 503 code if they tried to hit your
database url instead of a document.

If that doesn't work, you could always put a thin middleware layer in
front of couch that did nothing but security. (You can get webservers
to give you the intended URL as a variable)

On Jan 3, 2010, at 6:31 AM, Paweł Stawicki <pawelstawicki@gmail.com>
wrote:

> Hello,
>
> I am thinking about using CouchDB in app I want to create. In CouchDB
> I can get documents directly from client's browser by javaScript and
> it is great, but I have some concerns. I want the app to be accessible
> to everyone without need to have an account or log in (like
> wikipedia). If I want everyone to have access to documents, CouchDB
> has to be accessible to the whole internet. If this is the case,
> everyone can even delete whole database by single HTTP query :(
>
> It is unevitable that if DB is accessible in the internet, everyone
> can edit/add/delete documents. After all, this is what I want. But I
> don't want to allow deletion of whole database. Or access to another
> databases on the same CouchDB server.
>
> Even if I can prevent deletion of whole database, I can't prevent
> deletion of single documents, and malicious user could delete them one
> by one.
>
> So in a nutshell, I have questions:
> 1. Is it possible to prevent deletion of database?
> 2. Is it possible to prevent deletion of documents? Or, even better...
> 3. ...is it possible to limit number of deleted documents for specific
> IP for time unit. E.g. one document deletion per minute?
>
> Best regards
> --
> Paweł Stawicki
> http://pawelstawicki.blogspot.com
> http://szczecin.jug.pl
> http://www.java4people.com

Mime
View raw message