How to access external network from web site backend? [closed]

Question

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.

Closed 8 years ago.

I build a web site which will be deployed and maintained by my company IT dept. My web site backend needs to access a third party API on the internet. The IT say it is not allowed to access external network from this site. Is this an acceptable security restriction? What is the secured way to make an external API call?

Answer 1

The reason why your IT department wants to restrict access to arbitrary external websites is to theoretically make it harder to move any data off your web server to another server in the circumstances where a hacker has managed to upload and execute some arbitrary code.

This is not a totally unreasonable policy to have, as it does help mitigate an attack, even if it doesn't totally block an attack.

The standard way to allows connections to the outside world, but in a controlled manner is for your IT department to setup a proxy, and then your application should make all connections to other websites through that. The proxy should have a white-list of all domains that your code is allowed to connect to, blocking all other requests.

That should allow your software to do what it needs to do, while still mitigating the potential for hackers to be able to move data off the server.

btw if your IT department is capable of it, you should be able to configure the proxy so that any request to a non-whitelisted site will trigger an alarm, as it would indicate a probably intrusion on the server, and it's now running hack uploaded code.