May be worth your read. As more OpenMRS deployments are exposed to the internet and integrated with external systems (mobile apps, DHIS2, HIEs, reporting tools, etc.), network firewalls alone may not be enough to protect against application-level attacks.
One option that may be worth evaluating is SafeLine WAF, a self-hosted web application firewall that runs as a reverse proxy in front of OpenMRS. It inspects HTTP(S) traffic before requests reach the Tomcat/Spring application.
Why this could be useful for OpenMRS
-
Helps protect against common web attacks (SQL injection, XSS, path traversal, brute-force logins)
-
Allows path-level tuning, which is important for endpoints like
/openmrs/ws/rest/* -
Can be deployed on-premise or in data-sovereign environments
-
Adds minimal latency and does not require changes to OpenMRS core
-
Provides useful security logs for audits and incident response
TLS termination, rate limiting, and basic bot protection can be handled at the WAF layer, reducing the attack surface on the application itself.
Things to be aware of
-
Some initial tuning is needed to avoid false positives, especially for REST APIs and reporting modules
-
Requires some security/DevOps familiarity
-
This is an additional security layer, not a replacement for proper OpenMRS configuration, patching, and access controls
Some OpenMRS implementations operate in environments where managed cloud WAFs are not practical due to cost, bandwidth, or data-sovereignty requirements. A lightweight, self-hosted WAF may be a reasonable option in such cases.
SafeLine WAF vs ModSecurity (Nginx) in OpenMRS deployments
OpenMRS implementers may use Nginx or Apache with the ModSecurity WAF module, which remains a solid and widely adopted option. ModSecurity is mature, well understood, and integrates directly into existing reverse proxies. However, it typically requires significant rule tuning (for example, OWASP CRS) to reduce false positives, especially around REST APIs and complex reporting queries.
SafeLine takes a different approach by operating as a standalone reverse proxy with built-in threat detection, rather than a rule-heavy module inside Nginx. This can reduce the amount of manual rule management needed, while still allowing path-level tuning for OpenMRS endpoints such as /openmrs/ws/rest/*. In environments where teams have limited time to maintain custom WAF rules, this may simplify ongoing operations.
This is not an endorsement, just a suggestion for discussion and evaluation.
I’d be interested to hear:
-
Has anyone deployed a self-hosted WAF in front of OpenMRS?
-
What challenges did you run into (false positives, performance, maintenance)?
SafeLine project: https://github.com/chaitin/SafeLine