So one can secure the Sync REST APIs but how do I secure the Admin REST APIs?
Sync REST APIs are managed by the client where clients have logins but the Admin REST API must also be protected.
Currently the Sync Gateway REST Admin APIs are only reachable on localhost since it would be dangerous to have them open. The way to go here is tunnel all request via a VPN / SSH if you need external access.
There really needs to be some form of authentication on this interface.
Allowing anyone with local access (legit or otherwise) to execute user/server management commands to an unauthenticated open local port creates unnecessary exposure.