Endpoint security

[MunGell]

Zotero server implementation only accepts requests from 127.0.0.1 and localhost hosts. This should prevent access from the outside of the local machine.

Original browser connector endpoints provide mostly write-only functionality and thus might do well without auth on the API endpoints.

ZotServer endpoints provide wider access to the database and could be considered more risky to run.
As of now ZotServer does not provide auth functionality on the endpoints.

Current thinking is:

• Zotero server implementation is currently accessible from local machine only
• Local applications that intend to get read access to the database could do so by reading directly from SQLite database, so API authentication will not prevent unauthorized access

Your thoughts on the topic in this thread are highly appreciated!