A new CouchDB install starts off in 'admin party' mode when any one who connects can do anything. This is great for learning about Couch.
The following are most basic steps you should take to secure your new CouchDB install before using it in production.
- Enable CORS - https://github.com/pouchdb/add-cors-to-couchdb
- Create an admin user via the web interface (http://localhost:5984/_utils) in the bottom right corner
Disable anonymous access (optional)
Optionally you should disable anonymous access and require a registered user by setting 'require_valid_user' in local.ini and restarting CouchDB.
Once you have done that, you can add new users by creating documents in the _users database (e.g. via the web interface) with minimal fields (the first part of _id is fixed, the last part of _id must match all of name):
You can then restrict write access by adding a list of users and/or roles to each database. You can do this via the 'security..' link in the web interface.