🥇Features

• A single executable file (written in Go);

• Support for SQLite or DuckDB (more in the future);

• Aligned to SQLite 3.46.1 and DuckDB 1.1.3;

• HTTP/JSON access, with client libraries for convenience;

• Directly call ws4sql on a database (as in the README example), many options available using a YAML companion file;

• [In-memory DBs] are supported (documentation/configuration-file#path);

• Serving of multiple databases in the same server instance;

• Batching of multiple value sets for a single statement;

• Parameters may be passed to statements positionally (lists) or by name (maps);

• Results of queries may be returned as key-value maps, or as values lists;

• All queries of a call are executed in a transaction;

• For each query/statement, specify if a failure should rollback the whole transaction, or the failure is limited to that query [SQLite only];

• "Stored Statements": define SQL in the server, and call it from the client;

• CORS mode, configurable per-db;

• Scheduled tasks, cron-like and/or at startup, also configurable per-db;

• Scheduled tasks can be: backup (with rotation), vacuum and/or a set of SQL statements;

• Provide initialization statements to execute when a DB is created;

• WAL mode enabled by default, can be disabled [SQLite only];

• Embedded web server to directly serve web pages that can access ws4sqlite without CORS;- Quite fast!

• Comprehensive test suite (make test);

• Docker images, for both amd64 and aarch64.

Security Features

• Authentication can be configured

  • on the client, either using HTTP Basic Authentication or specifying the credentials in the request;

  • on the server, either by specifying credentials (also with BCrypt hashed passwords) or providing a query to look them up in the db itself;

  • customizable Not Authorized error code (if 401 is not optimal)

• A database can be opened in read-only mode (only queries will be allowed);

• It's possible to enforce using only stored statements, to avoid some forms of SQL injection and receiving SQL from the client altogether;

• CORS Allowed Origin can be configured and enforced;

• It's possible to bind to a network interface, to limit access.

Some design choices:

• Very thin layer over SQLite/DuckDB. Errors and type translation, for example, are those provided by the respective driver;

• Doesn't include HTTPS, as this can be done easily (and much more securely) with a reverse proxy;

• Doesn't support SQLite extensions, to improve portability; selected extensions for DuckDB are available.