Applies to ReadyAPI 2.2, last modified on November 17, 2017

ReadyAPI TestServer can receive a large number of test recipes from different sources and can send them to different tested APIs, and receive results. So, it can be seen as a source of spam. Also, some of test recipes can potentially have malicious script code that is dangerous as, in many cases, TestServer resides on a server computer in a network. This topic describes possible security issues and workarounds.

Inform Your IT Department

ReadyAPI TestServer sends and receives a large number of requests. Your company’s proxies and firewalls may report the server computer as a source of spam. To avoid this, make sure to inform your IT department about installing ReadyAPI TestServer so they can change the firewall settings, if needed.

Access From Other Computers

To prevent using TestServer as a source of spam, you can command it to receive test recipes only from the computer, where TestServer is installed. You can do this at the beginning of using the product, while you are learning how to work with it, or until your network security settings are configured properly. You can allow requests from other machines at any time later.

The last page of the TestServer installation wizard asks you which mode you would like to choose. To change this setting, use the server.allowExternalRequests property in the ready-api-testserver.properties file.

Allowed Target Hosts

By default, ReadyAPI TestServer can send requests to any computer. To prevent using TestServer for spamming, you can limit the hosts, to which TestServer is allowed to send requests. To do this, specify the allowed hosts using the allowed.connect.targets property. You can find it in the ready-api-testserver.properties file.

SSL Certificate

ReadyAPI TestServer supports the HTTPS protocol. However, the default certificate included into the installation package is not secure. We strongly recommend that you use your own SSL certificate to ensure that your requests to TestServer (test recipes) cannot be intercepted.

To import your certificate to TestServer, run TestServer with the -c command-line argument and the keystore file containing both private and public keys. See Configuring TestServer After Installation.

Test Access

ReadyAPI TestServer can run a large number of tests daily. If some tests leave behind logs or other information, your server can run out of hard drive space. To prevent this, tests run on ReadyAPI TestServer can only write to files in the temp directory, and the directories specified in the allowed.file.paths property. You can find it in the ready-api-testserver.properties file.

Groovy Script Access

Groovy scripts run on ReadyAPI TestServer can be more malicious than other test steps. So, there are some limitations for them.

They are not allowed to:

  • Terminate the server.

  • Create classloaders to load other code.

  • Access any files outside of the temp directory and directories specified in the allowed.file.paths property (except for the groovy log file).

  • Execute system commands.

  • Create listeners on TestServer to accept connections from other machines.

  • Connect to hosts other than those specified by the allowed.connect.targets property.

See Also

TestServer Properties
About ReadyAPI TestServer
Best Practices