Launch Week Day 1: Socket for Jira Is Now Available.Learn More
Socket
Book a DemoSign in
Socket
Book a DemoSign in

tileserver-gl

Package Overview
Dependencies
Maintainers
11
Versions
122
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

tileserver-gl

Map tile server for JSON GL styles - vector and server side generated raster tiles

latest
Source
npmnpm
Version
5.6.0
Version published
Weekly downloads
874
49.91%
Maintainers
11
Weekly downloads
 
Created
Source

tileserver-gl

TileServer GL

GitHub Workflow Status Docker Hub

Vector and raster maps with GL styles. Server-side rendering by MapLibre GL Native. Map tile server for MapLibre GL JS, Android, iOS, Leaflet, OpenLayers, GIS via WMTS, etc.

Download vector tiles from OpenMapTiles.

Getting Started with Node

Make sure you have Node.js version 20 or above installed. Node 24 is recommended. (running node -v it should output something like v24.x.x). Running without docker requires Native dependencies to be installed first.

Install tileserver-gl with server-side raster rendering of vector tiles with npm.

npm install -g tileserver-gl

Once installed, you can use it like the following examples.

using a mbtiles file

wget https://github.com/maptiler/tileserver-gl/releases/download/v1.3.0/zurich_switzerland.mbtiles
tileserver-gl --file zurich_switzerland.mbtiles
[in your browser, visit http://[server ip]:8080]

using a config.json + style + mbtiles file

wget https://github.com/maptiler/tileserver-gl/releases/download/v1.3.0/test_data.zip
unzip test_data.zip
tileserver-gl
[in your browser, visit http://[server ip]:8080]

Alternatively, you can use the tileserver-gl-light npm package instead, which is pure javascript, does not have any native dependencies, and can run anywhere, but does not contain rasterization on the server side made with Maplibre GL Native.

Getting Started with Docker

An alternative to npm to start the packed software easier is to install Docker on your computer and then run from the tileserver-gl directory

Example using a mbtiles file

wget https://github.com/maptiler/tileserver-gl/releases/download/v1.3.0/zurich_switzerland.mbtiles
docker run --rm -it -v $(pwd):/data -p 8080:8080 maptiler/tileserver-gl:latest --file zurich_switzerland.mbtiles
[in your browser, visit http://[server ip]:8080]

Example using a config.json + style + mbtiles file

wget https://github.com/maptiler/tileserver-gl/releases/download/v1.3.0/test_data.zip
unzip test_data.zip
docker run --rm -it -v $(pwd):/data -p 8080:8080 maptiler/tileserver-gl:latest
[in your browser, visit http://[server ip]:8080]

Example using a different path

docker run --rm -it -v /your/local/config/path:/data -p 8080:8080 maptiler/tileserver-gl:latest

replace '/your/local/config/path' with the path to your config file

Alternatively, you can use the maptiler/tileserver-gl-light:latest docker image instead, which is pure javascript, does not have any native dependencies, and can run anywhere, but does not contain rasterization on the server side made with Maplibre GL Native.

Getting Started with Linux cli

Test from command line

wget https://github.com/maptiler/tileserver-gl/releases/download/v1.3.0/test_data.zip
unzip -q test_data.zip -d test_data
xvfb-run --server-args="-screen 0 1024x768x24" npm test

Run from command line

xvfb-run --server-args="-screen 0 1024x768x24" node .

Documentation

You can read the full documentation of this project at https://tileserver.readthedocs.io/en/latest/.

Security: Host header poisoning (HNP) mitigation

When the server is started without --public_url, URLs in responses (WMTS, TileJSON, style JSON) are built from the request’s Host and X-Forwarded-* headers. If an attacker can influence these headers, the server may return URLs pointing to an attacker-controlled host (Host header poisoning). Clients that use those URLs can then be directed to malicious servers.

Recommended for production:

  • Set a canonical public URL so the server never derives host from the request:

    tileserver-gl --public_url https://your-domain.com/ --file your.mbtiles

  • Or restrict which hosts are allowed when not using --public_url, via the allowed-hosts list (default is *, i.e. no restriction):

    • Set the environment variable TILESERVER_GL_ALLOWED_HOSTS to a comma-separated list of allowed hostnames (e.g. localhost,myapp.example.com). If the request’s host (or X-Forwarded-Host) is not in this list, the server returns path-only URLs instead of absolute URLs, so responses cannot be poisoned with an attacker’s host.
    • Example: 
      export TILESERVER_GL_ALLOWED_HOSTS="localhost,map.example.com"
tileserver-gl --file your.mbtiles
    • If you do not set this variable (or set it to *), behavior is unchanged and all hosts are accepted; for public-facing deployments you should either use --public_url or set TILESERVER_GL_ALLOWED_HOSTS to your known host(s). See SECURITY.md for details.

Alternative

Discover MapTiler Server if you need a map server with easy setup and user-friendly interface.

Keywords

maptiler
tileserver-gl
maplibre-gl
tileserver

FAQs

Package last updated on 06 Apr 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Socket for Jira Is Now Available

Product

Socket for Jira Is Now Available

Socket for Jira lets teams turn alerts into Jira tickets with manual creation, automated ticketing rules, and two-way sync.

By Jeppe Hasseriis  -  Apr 20, 2026
Socket Named Top Sales Organization by RepVue

Company News

Socket Named Top Sales Organization by RepVue

Socket won two 2026 Reppy Awards from RepVue, ranking in the top 5% of all sales orgs. AE Alexandra Lister shares what it's like to grow a sales career here.

By Sarah Gooding  -  Apr 17, 2026