🔐 Perfect GeoServer WMS Configuration for Viewing Only (No Data Extraction or Download)
1️⃣ General Settings (Basic WMS Configuration)
- ✅ Enable WMS → ✔️ (Enabled, since we want to show data)
- ✅ Strict CITE Compliance → ❌ (Uncheck, as strict compliance is not needed for security)
2️⃣ Prevent Feature Extraction & Data Access
🚫 Disable "GetFeatureInfo" (Prevents Extracting Data)
-
✅ Disable GetFeatureInfo requests
- Go to GeoServer Admin Panel → Layer Settings
- Uncheck "Enable GetFeatureInfo"
- This will prevent users from clicking on a feature and getting attribute information.
-
✅ Disable GetFeatureInfo Reprojection
Disable the reprojection of GetFeatureInfo results→ ✔️ Enable- This prevents CRS transformations from exposing feature data.
-
✅ Disable HTML/JSON/XML in GetFeatureInfo
Enable MIME type checking for GetFeatureInfo→ ✔️ Enable- Remove application/json, text/xml, text/html
- Only allow image formats like PNG to avoid data extraction.
3️⃣ Secure "GetCapabilities" Response (Prevent Direct Layer Discovery)
-
✅ Hide Internal Layer Names
- Go to WMS Settings → Root Layer Info
Always include Root Layer in Capabilities→ ❌ Uncheck- This prevents users from seeing all available layers.
-
✅ Restrict CRS List
Limited SRS List→ ✔️ Enable- Only allow standard web CRS (e.g., EPSG:3857).
-
✅ Hide Scale Information
Show Scalehint as units per diagonal pixel in GetCapabilities→ ❌ Disable- Prevents clients from estimating layer resolution.
4️⃣ Secure Image Outputs (Disable Downloadable Formats)
-
✅ Disable Vector Formats
Enable MIME type checking for GetMap→ ✔️ Enable- Allow only image formats:
image/png,image/jpeg - Deny:
image/svg,application/pdf,application/vnd.ogc.gml
-
✅ Limit Image Resolution (Prevent High-Res Screenshots)
Max rendering memory (KB)→ Set to 32MB (lower if needed)Max rendering time (s)→ Set to 30s- This prevents users from requesting ultra-high-resolution images.
5️⃣ Prevent Unauthorized Access & Downloads
🚫 Disable Direct File Downloads
-
Disable Web Feature Service (WFS)
- Go to: GeoServer →
Services→WFS - Uncheck "Enable WFS"`
- This prevents direct feature downloads in GML, JSON, etc.
- Go to: GeoServer →
-
Disable Web Coverage Service (WCS)
- Go to: GeoServer →
Services→WCS - Uncheck "Enable WCS"`
- This prevents raster data downloads.
- Go to: GeoServer →
-
Disable Styling (SLD) Overwrites
Disable usage of SLD and SLD_BODY parameters in GET requests→ ✔️ Enable- This prevents users from modifying layer styles dynamically.
6️⃣ Prevent Map Tile Stitching (Tiling Services)
-
✅ Disable Continuous Wrapping
Enable continuous map wrapping→ ❌ Disable- Prevents users from requesting seamless tile downloads.
-
✅ Disable Automated Projection Handling
Enable advanced projection handling→ ❌ Disable- Prevents unexpected coordinate transformations.
7️⃣ Additional Security Measures
-
✅ Restrict Access with Authentication
- Use GeoServer Security (LDAP, OAuth, or Role-based permissions)
- Allow only authenticated users to access the WMS.
-
✅ Apply Layer Access Restrictions
- GeoServer →
Security→Layer Security - Restrict who can view specific layers.
- GeoServer →
🛠 Summary: Best WMS Security Settings for Viewing Only
| Category | Setting | Value |
|---|---|---|
| ✅ Enable WMS | ✔️ Enabled | Users can view the map |
| 🚫 Disable GetFeatureInfo | ❌ Disabled | No attribute data extraction |
| 🚫 Disable WFS & WCS | ❌ Disabled | No data downloads (vector/raster) |
| 🚫 Restrict Image Formats | image/png, image/jpeg | No SVG, GML, PDF |
| 🚫 Disable Layer Discovery | ❌ No root layer in GetCapabilities | Users can't list all layers |
| 🚫 Restrict Projection & Tiling | ❌ No continuous map wrapping | Prevents large tile downloads |
| 🚫 Apply Authentication | ✔️ Required | Only authorized users see the layers |
| 🚫 Limit Rendering | ⏳ Max memory 32MB, Timeout 30s | Prevents high-res screenshots |
| 🚫 Disable SLD Modifications | ❌ No dynamic styling | Users can't modify layers |
Comments
Post a Comment