What's the best security practice to follow while using PouchDB on the client-side to access a remote server?

The example on https://pouchdb.com/getting-started.html syncs with the remote server with the code:

var remoteCouch = 'http://user:[email protected]/todos';

The problem is I probably don't want the user to see the plaintext password with a file they can download -- even if that file is shown to the authenticated users only.

Please advise. Thanks in advance,

Here's a really good article regarding all things auth for CouchDB.

I've got a production server with CouchDB configured to use HTTP over localhost but external requests require HTTPS redirected via stunnel to CouchDB.

On the client I use PouchDB to maintain a local, replicated db. As part of the handshake to establish communication with CouchDB over HTTPS, the software acquires CouchDB credentials from another server - the credentials are never stored client side.

pouchdb-authentication is a good plugin, but I've found it better to handle auth personally.

Every site user should have his own CouchDB user. As @onno suggests, use HTTPS and the user's login credentials to access CouchDB. Passwords should never be available in client-side JavaScript.

This depends on your remote server. If you use a CouchDB server, you could configure it to communicate only via SSL (HTTPS), see the docs for details.

If you don't want to expose your CouchDB server directly to the internet, you could also hide it behind a reverse-proxy, e.g. an Apache server with the mod_proxy extension and SSL enabled.