incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Cottlehuber <>
Subject Re: CouchDB: Prevent regular users from accessing Futon
Date Fri, 15 Nov 2013 09:11:06 GMT

On 14. November 2013 at 21:54:22, Hank Knight ( wrote:
> I want to know how to block access to Futon (_utils) for CouchDB  
> users
> who are not administrators.
> I create a user like this:
> curl -k -u \
> -X POST \
> -d "{\"_id\": \"org.couchdb.user:${username}\",\"name\":  
> \"${username}\",\"type\": \"user\",\"roles\": [],\"password\":  
> \"${password}\"}" -H "Content-Type: application/json"
> How can I keep that user from accessing Futon?

Alex’s removing _utils is 50% of the answer; it’s security by obscurity (although still
worth doing).

The most important point is to secure your database (validation docs, adding reader/member
roles etc) because any futon-like interface can be pointed to a given couch instance. Whatever
futon can do, a normal HTTP API can do.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message