mountebank

mountebank - over the wire test doubles


the apothecary

Security

mountebank is programmable through injection. This makes the tool very extensible and flexible, but it should only be used with an understanding of the security implications. When you enable the --allowInjection flag, you aren't just giving yourself the ability to extend mountebank: you're also potentially enabling attackers remote execution capabilities on your machine.

mountebank highly recommends you take the following approaches to securing your environment if you require --allowInjection:

The most secure option, of course, is to simply not use the --allowInjection flag. If there are common operations you find yourself using injection for, feel free to suggest those operations as core features in a future release of mountebank.

By default, CORS is disabled to prevent CSRF attacks. To enable, you must explicitly pass safe origins on the command line using the --origin flag.