On 14. November 2013 at 21:54:22, Hank Knight ([email protected]) wrote: > > I want to know how to block access to Futon (_utils) for CouchDB > users > who are not administrators. > > I create a user like this: > curl -k -u [email protected]:password123 \ > -X POST https://zqzqzqz555.couchappy.com/_users \ > -d "{\"_id\": \"org.couchdb.user:${username}\",\"name\": > \"${username}\",\"type\": \"user\",\"roles\": [],\"password\": > \"${password}\"}" -H "Content-Type: application/json" > > How can I keep that user from accessing Futon?
Alex’s removing _utils is 50% of the answer; it’s security by obscurity (although still worth doing). The most important point is to secure your database (validation docs, adding reader/member roles etc) because any futon-like interface can be pointed to a given couch instance. Whatever futon can do, a normal HTTP API can do. A+ Dave
