I want to know how block the acess to futon (_utils) in couchdb for readers, allowing the access only for admins. I need to do this why if a reader user acess the futon he can see the name of all my databases and how many documents there are. My application should let a reader acess an document only if he have the id of them.
Quoting CouchDB's homepage:
You can even serve web apps directly out of CouchDB.
You can disable the futon interface by opening default.ini from Program Files (x86)\Apache Software Foundation\CouchDB\etc\couchdb and commenting out the following line by putting a semi-colon in front of it:
;_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "../share/couchdb/www"}
You can find this line under the [httpd_global_handlers] header. This will completely disable the _utils handler and effectively disable Futon. You can re-enable it by uncommenting this line.
If you are serving an app directly out of Couch there are other handlers you may want to disable as well like the _all_dbs handler. This and other handlers can be found under the [httpd_global_handlers] section or the [httpd_db_handlers] section.
Even if you block futon, people will be able to find the list of databases using the couchdb API. I think the right solution is to put a webserver in front of couchdb and expose only what you need.
You can go with any webserver but if you want a javascript focused approach then use node.js. http://nodejs.org/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With