> CouchDB has no way of blocking requests to _changes that have no filter parameter Why? _rewrite handler is used to allow only requests complying with your api, and therefore preventing requests to changes withouth a filter. You can have a look to rewrites.json file for this.
I agree proxy is a best practice as a load balancer and to forward only requests to allowed vhosts, like Smileupps, Iriscouch or Cloudant all are doing, even if it's not strictly mandatory for security. Anyway, I was not interested here, in raising this kind of technical discussion. My starting e-mail only wanted to be constructive, by proposing a way to push content around CouchDB and Couchapps, to help everyone understand what they really can and cannot do. 2015-05-05 15:21 GMT+02:00 Jan Lehnardt <j...@apache.org>: > > > On 05 May 2015, at 15:14, Giovanni Lenzi <g.le...@smileupps.com> wrote: > > > >> That happens in a proxy outside of CouchDB then? > > > > No, it happens in the changes filter of the design document. > > You cannot force a client to use a filter. CouchDB has no way of blocking > requests to _changes that have no filter parameter. If you are not doing > that in a proxy, your system is not secure. > > Best > Jan > -- > Professional Support for Apache CouchDB: > http://www.neighbourhood.ie/couchdb-support/ > >