I'm learning about Elastic App Search. So far I have only used Elasticsearch. Elastic provides frontend UI clients which directly connect to Elastic App Search.(https://docs.elastic.co/search-ui/overview).
So far my view has been that Databases should never be exposed publicly, but Elastic Search UI is doing exactly that. With Search UI a readonly key is created which is used by the client. This key protects from manipulating data. However the user is still able able to exploit the DB by doing random queries and overload the App Search Engine. Is it better to have an API layer between client and Elastic App Search?