> On 05 May 2015, at 15:50, Giovanni Lenzi <[email protected]> wrote: > >> CouchDB has no way of blocking requests to _changes that have no filter > parameter > Why? _rewrite handler is used to allow only requests complying with your > api, and therefore preventing requests to changes withouth a filter. You > can have a look to rewrites.json file for this. > > I agree proxy is a best practice as a load balancer and to forward only > requests to allowed vhosts, like Smileupps, Iriscouch or Cloudant all are > doing, even if it's not strictly mandatory for security. > > Anyway, I was not interested here, in raising this kind of technical > discussion. My starting e-mail only wanted to be constructive, by proposing > a way to push content around CouchDB and Couchapps, to help everyone > understand what they really can and cannot do.
I’m sorry to derail this, but I want to make sure I understand your system before I can argue for or against your claims :) Your point that CouchApps can be a platform is well taken, thank you for that! You equally can’t force a client to use a _request handler, only if you block requests without a Host: header in a proxy in front of CouchDB, otherwise, again, the system is insecure (I helped build it that way). Best Jan -- > > > 2015-05-05 15:21 GMT+02:00 Jan Lehnardt <[email protected]>: > >> >>> On 05 May 2015, at 15:14, Giovanni Lenzi <[email protected]> wrote: >>> >>>> That happens in a proxy outside of CouchDB then? >>> >>> No, it happens in the changes filter of the design document. >> >> You cannot force a client to use a filter. CouchDB has no way of blocking >> requests to _changes that have no filter parameter. If you are not doing >> that in a proxy, your system is not secure. >> >> Best >> Jan >> -- >> Professional Support for Apache CouchDB: >> http://www.neighbourhood.ie/couchdb-support/ >> >> -- Professional Support for Apache CouchDB: http://www.neighbourhood.ie/couchdb-support/
