Security

mountebank is programmable through injection. This makes the tool very extensible and flexible, but it should only be used with an understanding of the security implications. When you enable the --allowInjection flag, you aren't just giving yourself the ability to extend mountebank: you're also potentially enabling attackers remote execution capabilities on your machine.

mountebank highly recommends you take the following approaches to securing your environment if you require --allowInjection:

• ALWAYS run mb as an unprivileged user
• If possible, set the --localOnly flag to only accept requests from localhost. There's no reason not to do this when running directly (e.g., not inside Docker or a VM) on your local developer machine.
• Whitelist all IP addresses allowed to connect to mountebank by setting the --ipWhitelist flag.
• Consider using a local OS level firewall like iptables
• Consider running mb in a Docker environment or under a chroot operation to prevent access to the full filesystem

The most secure option, of course, is to simply not use the --allowInjection flag. If there are common operations you find yourself using injection for, feel free to suggest those operations as core features in a future release of mountebank.

By default, CORS is disabled to prevent CSRF attacks. To enable, you must explicitly pass safe origins on the command line using the --origin flag.