The standard answer is that exposing the API is a REALLY bad idea. To start from, you can issue the delete commands through the API. And they can be escaped in multiple different ways.
Plus, you have admin UI there as well to manipulate the cores as well as to see the configuration files for them. So, usually, the middleware is the answer, just like with a database. Most recent (5.3!) version of Solr added some authentication, but that's still not something you could use from a public web page, as that would imply hard-coding password. You could possibly make index read-only, lock down filesystem, etc. But that's a lot of effort and logistics. Regards, Alex. ---- Solr Analyzers, Tokenizers, Filters, URPs and even a newsletter: http://www.solr-start.com/ On 25 August 2015 at 09:29, Dmitry Savenko <d...@dsavenko.com> wrote: > Hello, > > I plan to expose Solr search REST API to the world, so it can be called > from my web page directly, without additional server layer. I'm > concerned about bots, so I plan to add CAPTCHA to my page. Surely, I'd > like to do it with as little effort as possible. Does Solr provide > CAPTCHA support out of the box or via some plugins? I've searched the > docs and haven't found any mentions of it. > > Or, maybe, exposing the API is an extremely bad idea, and I should have > a middle layer on the server side? > > Any help would be much appreciated! > > Best regards, Dmitry.
