Sync server security

khayes · September 19, 2014, 4:30pm

I was wondering how to hide the sync server header information as a security precaution.

Thanks Much

So a basic get to port 4984 reveals

Response Header

Content-Type: application/json
Content-Length: 119
Server: Couchbase Sync Gateway/1.0
Date: Fri, 19 Sep 2014 16:15:32 GMT

Response Body

{
“vendor” : {
“version” : “1.0”,
“name” : “Couchbase Sync Gateway”
},
“couchdb” : “Welcome”,
“version” : “Couchbase Sync Gateway/1.0”
}

Mr_Yellow · September 24, 2014, 12:22am

Security in the NoSQL world is an after-thought. Most of the interfaces don’t even have authentication or encryption. Chances are you have no ability to change this banner. Best to submit a ticket to have this hole redesigned/closed.

jens · October 3, 2014, 4:02pm

Hi — I didn’t see this question until now because you posted it under “Other” instead of “Couchbase Mobile”. If you have other questions about the Sync Gateway please post them in the Mobile category so we’ll see them.

The direct answer is that you can put the Sync Gateway behind a proxy like nginx or Apache and configure the proxy to suppress or alter headers. Just don’t hide the “Server” header, as the client uses that header to detect whether it’s talking to a Sync Gateway (as opposed to CouchDB or Cloudant) and can use some sync protocol extensions to improve performance.

At a higher level, I’m curious which headers you want to hide and why you see them as security holes?

—Jens

jens · October 3, 2014, 4:05pm

This sounds like a vague generalization about an entire technology category, not a useful answer. If you have any specific points about the security of the Sync Gateway, please let us know in detail; we take security quite seriously.

The Sync Gateway’s APIs are definitely security-conscious, since part of its job is to act as a gatekeeper between the outside world and Couchbase Server. The public APIs all require authentication (unless you’ve explicitly enabled the Guest account.) The admin APIs run on a separate port that’s by default bound only to the loopback interface, so it would take explicit action (not an accident) to expose them.

As for encryption, the Gateway has native support for SSL, or can of course easily be placed behind a proxy that adds SSL. It also uses the secure bcrypt procedure to hash passwords.

—Jens