summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordefanor <defanor@uberspace.net>2019-01-09 22:19:07 +0300
committerdefanor <defanor@uberspace.net>2019-01-09 22:19:07 +0300
commitd85046a9f6c251a3b7d46100f054a2fee4b01375 (patch)
treeb3a3a43b2ae3af7fb7ed3f5ece64757eba5eed3d
parent1b3ea5d48e049c595f90eb8b9fb11f8149927519 (diff)
downloadpgxhtml-d85046a9f6c251a3b7d46100f054a2fee4b01375.zip
pgxhtml-d85046a9f6c251a3b7d46100f054a2fee4b01375.tar.gz
pgxhtml-d85046a9f6c251a3b7d46100f054a2fee4b01375.tar.bz2
Update README
Add a security checklist, link automatic-api.
-rw-r--r--README.md28
1 files changed, 24 insertions, 4 deletions
diff --git a/README.md b/README.md
index 7770552..2a67dbd 100644
--- a/README.md
+++ b/README.md
@@ -16,8 +16,8 @@ Request timeouts are enforced and do cancel DB queries, but otherwise
it relies on PostgreSQL for access permissions and security policies,
as well as for any business logic that may be needed.
-It is based on WAI, and can be used with CGI, socket activation, Unix
-domain sockets, or as a standalone HTTP server.
+It is based on WAI, and can be used with (S,Fast)CGI, or various other
+methods.
## Usage
@@ -74,8 +74,28 @@ This is intended to be used with an HTTP server, which would take care
of encryption, compression, static files, redirects, and so on, while
pgxhtml only focuses on providing a web interface to a database.
+### Security checklist
+
+- Regular privileges (see
+ [GRANT](https://www.postgresql.org/docs/current/sql-grant.html))
+ should be set appropriately.
+
+- [Row Security
+ Policies](https://www.postgresql.org/docs/current/ddl-rowsecurity.html)
+ should be defined and enabled.
+
+- [Constraints](https://www.postgresql.org/docs/current/ddl-constraints.html)
+ are useful for data validation.
+
+- [REVOKE CREATE ON SCHEMA public FROM
+ PUBLIC](https://www.postgresql.org/docs/current/ddl-schemas.html)
+ would likely be desired (perhaps granting `CREATE` just to the
+ database owner/administrators).
## See also
-[PostgREST](http://postgrest.org/), "a standalone web server that
-turns your PostgreSQL database directly into a RESTful API".
+- [PostgREST](http://postgrest.org/), "a standalone web server that
+ turns your PostgreSQL database directly into a RESTful API".
+
+- [automatic-api](https://github.com/dbohdan/automatic-api/), a list
+ of tools for automatic HTTP-based API generation.