How to stop non-admin users from viewing your CouchDB database through Futon?

Question

The question is straightforward: How can I stop non-admin users from reading my CouchDB database from Futon?

The answer here Couchdb - Block futon for readers users saying that even though it's possible, people can still find the way to fetch the database.

What concerns me is, CouchDB is a database engine, and of course, even though encrypted heavily, there would still be some sort of password storing in the database (where else?). I created admin account for my Futon, and when I open Futon (without logging in), I can still see every single digit of my database. Is that something I need to worry about? Then, isn't CouchDB just a very insecure type of database?

What even more scary is that if the user is not logged in, there will be a 'Sign up' link at the bottom. Like, seriously? After signing up, they act just like admin. What's really up with Futon?

How exactly should I deal with this 'open' type of database? But the first step, how can I stop Futon?

Answer 1

Only the first user to sign up becomes database admin. If you are exposing CouchDB to the public, you are expected to set that up. All subsequent users that sign up are just regular users that can not act like admins. From there you can assign access properties per databases (see Security in Futon’s database view) to make databases private for all, or just some or just one user.

There is also the require_valid_user option, that requires a username and password before anything is accessible.

Answer 2

require_valid_user=true

If you have Fauxton UI access as well, you can login as admin and do that in the config section under couch_httpd_auth.