PouchDB security

Question

What\'s the best security practice to follow while using PouchDB on the client-side to access a remote server?

The example on https://pouchdb.com/getting-started.htm

Answer 1

Here's a really good article regarding all things auth for CouchDB.

I've got a production server with CouchDB configured to use HTTP over localhost but external requests require HTTPS redirected via stunnel to CouchDB.

On the client I use PouchDB to maintain a local, replicated db. As part of the handshake to establish communication with CouchDB over HTTPS, the software acquires CouchDB credentials from another server - the credentials are never stored client side.

pouchdb-authentication is a good plugin, but I've found it better to handle auth personally.

Answer 2

This depends on your remote server. If you use a CouchDB server, you could configure it to communicate only via SSL (HTTPS), see the docs for details.

If you don't want to expose your CouchDB server directly to the internet, you could also hide it behind a reverse-proxy, e.g. an Apache server with the mod_proxy extension and SSL enabled.

Answer 3

Every site user should have his own CouchDB user. As @onno suggests, use HTTPS and the user's login credentials to access CouchDB. Passwords should never be available in client-side JavaScript.