tags:

views:

323

answers:

2
+1  Q: 

How to Secure CouchDB

CouchDB access as a rest service seems insecure. Anyone can hit the database and delete/add documents once it is exposed. What is the best strategy to secure the CouchDB?

+1  A: 

Have you read CouchDB documentation http://couchdb.apache.org/docs/overview.html? It has a "Security and Validation" section that addresses some of your concerns.

Jay Zeng  2009-12-17 17:39:56
Yes, I read the paragraph. Talks about Reader Lists, and says that there is a security model, I'm looking for specifics such as a how-to, examples, api to add to the reader list, etc
steveolyo  2009-12-17 18:53:16
Got you, sounds like you have already done some research. Not sure if this would help: http://books.couchdb.org/relax/reference/security , give it a look if you haven't.
Jay Zeng  2009-12-17 19:18:46
That has some good information, still needs work. I realize that couchdb is still in its infancy. Maybe the read lists are not implemented yet.
steveolyo  2009-12-17 21:36:49
Ok, first it looks like there is a reader list which will provide document security to couchdb, then I find a JIRA entry stating: The "Reader Access" section on the overview page describes a feature that couchdb doesnot currently supply and is unlikely to supply in the stated form in the near future (or possiblyever (https://issues.apache.org/jira/browse/COUCHDB-496)
steveolyo  2009-12-17 22:22:34
Like you said, CouchDB is "still in its infancy".
Jay Zeng  2009-12-17 23:00:39
And as an infant it embodies a lot of great promise. Thanks for the comments.
steveolyo  2009-12-18 00:33:45
A: 

The only thing which really works currently security wise is something like this in your CouchDB configuration.

[couch_httpd_auth]
require_valid_user=true
[admins]
admin = sekrit

This puts basic HTTP auth on all of CouchDB. Even this is not well supportet in client libraries. For python e.g. you need a patched library.

The second approach is to put a proxy in front of CouchDB and let the proxy do the authentication and authorization work. Due to CouchDB's RESTful design this is quite easy.

All other approaches must be considered up to now highly experimental.

mdorseif  2009-12-26 19:18:05
Putting a proxy in front of Couch is a great idea, but adds some overhead. I have apache as a proxy currently. I think I'll rephrase the question as a new one here on stackoverflow
steveolyo  2009-12-31 21:29:28

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security