incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Scherrer <>
Subject Security: exposing the database access to the browser
Date Tue, 08 May 2012 14:46:37 GMT
Hi All,

I've imagined a way to give the browser a complete access to CouchDB, with a node.js server
proxying the requests, and would have liked to know the implications in terms of security.

Here's how it works:

The browser sends the request data to a node.js server (like {method:"GET", "path:"_all_dbs}),
which in turns uses its http client to issue the request through something I called a "request
The request handler is configured with CouchDB's url, and it also adds the credentials to
the request, so the request looks like: http://user:password@ipaddress/_all_dbs.
When the results are returned to node.js, it pushes the data back to the browser.

My question is, how secure is this approach? From the browser I could potentially do anything
(POST, DELETE...), the only security being the credentials added up by the request handler
on the node.js server. Is that enough or should I add more treatments (like filtering) before
doing the request?

I've written a blog post that pictures the whole solution:
The security concern was brought up by Richard on's Google Group:!topic/socket_io/2_Yovcrc1e0


View raw message