I am using SG version 2.5 in my company internally. The SG is in the DMZ and providing a public WebSocket over the internet for the mobile devices. The public admin api is available for other BE services.
My security officer asked me if the SG public admin API requires authentication? according to this: https://docs.couchbase.com/sync-gateway/current/admin-rest-api.html there is no authentication in the public admin api.
My security officer has concerns! cause if someone knows the endpunkt he can simply use the public admin api internally
Is there a way to secure the access to SG? what are the best practices here?