> On 3. Jul 2020, at 08:53, Sebastien <lechtit...@gmail.com> wrote:
>
> Given that CouchDB exposes its functionality over HTTP through a RESTful
> API, IMHO it should allow to define such important http headers for
> security directly.
This is a fair point and a patch/PR to that effect is going to be
uncontroversial.
> Only being able to rely on additional infrastructure to secure the system
> is problematic. Indeed many production deployments will have such
> infrastructure in place, but it will not always be the case. Even if it is,
> then it would also require mTLS to ensure a good level of security.
> Moreover, SSL termination is indeed one way, but it's based on the "old
> way", considering internal traffic as trusted, which is not in line with
> current security practices. Defense in depth also considers internal
> traffic as requiring secure communications.
CouchDB does support native TLS.
Best
Jan
—
>
> kr,
> Sébastien
>
> On Thu, Jul 2, 2020 at 7:17 PM Joan Touzet <woh...@apache.org> wrote:
>
>> Best option: use a reverse proxy like haproxy or nginx to inject these.
>> You can also terminate SSL at this layer for better SSL support and
>> performance.
>>
>> -Joan
>>
>> On 02/07/2020 05:01, Mody, Darshan Arvindkumar (Darshan) wrote:
>>> Hi
>>>
>>> In our project we would like to set the header X-Content-Type-Options
>> and strict-transport-security whenever CouchDB responds to an request
>>>
>>> How can we set the headers?
>>>
>>> Thanks in advance
>>>
>>> Regards
>>> Darshan
>>>
>>
