Spoolman tracks filament inventory and can integrate with print infrastructure (for example Moonraker/Klipper tooling). Harden API exposure, token handling, and service boundaries.
¶ 1) Restrict web and API exposure
- Keep Spoolman behind HTTPS reverse proxy.
- Restrict access to trusted LAN/VPN ranges where possible.
- Add rate limiting for auth and write-heavy API endpoints.
- Disable or restrict anonymous access in shared environments.
- Use strong authentication mechanisms when available.
- Implement IP whitelisting for administrative access.
- Use scoped API tokens for Moonraker/Klipper integrations.
- Rotate integration credentials periodically.
- Separate print-controller network from broader user network.
- Log inventory-changing API calls for auditability.
- Configure secure API keys with sufficient entropy.
- Limit API permissions to minimum required scope.
¶ 3) Harden runtime and persistence
- Run service with least privileges and minimal filesystem access.
- Keep SQLite/PostgreSQL backend files in protected directories.
- Encrypt backups for spool metadata and tags.
- Patch Spoolman releases and runtime dependencies on schedule.
- Use non-root user for container execution when possible.
- Implement proper backup encryption and access controls.
- Set
SPOOLMAN_API_KEY to a strong, randomly generated value in production.
- Disable anonymous write access by setting
SPOOLMAN_ALLOW_ANONYMOUS_WRITE=false.
- Enable authentication for API access by setting
SPOOLMAN_REQUIRE_AUTH_FOR_API=true.
- Use encrypted connections for external databases (PostgreSQL, MySQL).
- Regularly rotate API keys and database credentials.
- Use dedicated VLAN/network segment for 3D printing infrastructure.
- Implement firewall rules to restrict access to Spoolman ports.
- Use VPN or private networks for remote access instead of direct internet exposure.
- Monitor network traffic for unusual patterns or unauthorized access attempts.
- Spoolman source repository: https://github.com/Donkie/spoolman
- Spoolman security policy: https://github.com/Donkie/spoolman/security/policy
Any questions?
Feel free to contact us. Find all contact information on our contact page.