Given that CouchDB exposes its functionality over HTTP through a RESTful API, IMHO it should allow to define such important http headers for security directly. Only being able to rely on additional infrastructure to secure the system is problematic. Indeed many production deployments will have such infrastructure in place, but it will not always be the case. Even if it is, then it would also require mTLS to ensure a good level of security. Moreover, SSL termination is indeed one way, but it's based on the "old way", considering internal traffic as trusted, which is not in line with current security practices. Defense in depth also considers internal traffic as requiring secure communications.
kr, Sébastien On Thu, Jul 2, 2020 at 7:17 PM Joan Touzet <[email protected]> wrote: > Best option: use a reverse proxy like haproxy or nginx to inject these. > You can also terminate SSL at this layer for better SSL support and > performance. > > -Joan > > On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote: > > Hi > > > > In our project we would like to set the header X-Content-Type-Options > and strict-transport-security whenever CouchDB responds to an request > > > > How can we set the headers? > > > > Thanks in advance > > > > Regards > > Darshan > > >
