0

Give that OrientDB exposes a REST HTTP API, and that it seems to have quite a few security features, what are the (especially security) implications of querying OrientDB directly from a front end web application, without writing and using an intermediary back-end between them?

What possible measures (like record access management, HTTPS, authentication configuration etc) will improve security and, after implementing them, what risks remain?

DJakarta
  • 1
  • 1

1 Answers1

0

I have no idea and I'm really just answering off-the-cuff.

Just because something has an HTTP(s) API doesn't mean you should just throw it open to the web, there's still plenty of internally facing uses for such an API.

The most obvious security implications are that:

  • There is no defense in depth; you are putting all your faith in the database (it's vendor, their QA practices, your configuration, etc) to be 100% secure.
  • You have limited/no way of throttling use / protecting against DDoS (I am assuming here it doesn't have any in-built features that protect against that, and I'd be a little skeptical as to the effectiveness if it says it does).
  • I also wonder if data leakage is a concern.
  • Not security related but you'd need to consider SDLC considerations like API versioning, and coupling between the front-ends and the database, etc.
Adrian K
  • 101
  • 2