mountebank is programmable through injection. This makes
the tool very extensible and flexible, but it should only be used with an understanding of the
security implications. When you enable the
flag, you aren't just giving yourself the ability to extend mountebank: you're also potentially enabling
attackers remote execution capabilities on your machine.
mountebank highly recommends you take the following approaches to securing your environment if you
- ALWAYS run
mbas an unprivileged user
- If possible, set the
--localOnlyflag to only accept requests from localhost. There's no reason not to do this when running directly (e.g., not inside Docker or a VM) on your local developer machine.
- Whitelist all IP addresses allowed to connect to mountebank by setting the
- Consider using a local OS level firewall like iptables
- Consider running
mbin a Docker environment or under a
chrootoperation to prevent access to the full filesystem
The most secure option, of course, is to simply not use the
If there are common operations you find yourself using injection for, feel free to suggest those operations
as core features in a future release of mountebank.
By default, CORS is disabled to prevent CSRF attacks. To enable, you must explicitly pass safe origins
on the command line using the