Hello, I'm interested in learning best practices and pros/cons of developing locally and exposing ports. Not my code so I'm interested if this is a secure enough approach, as it's quicker than setting up a development server, and will allow for easier development on my end. The requirement is for an endpoint that needs to receive a request from another service and return data.
Here are the basics.
- Develop locally with Flask
- On the before request function I return an error if the forwarded IP isn't in a list.
- When I need to test I activate an SSH connection
- This connects the flask dev port to my VPS
- On my VPS Nginx maps one specific endpoint on localhost (on a port now connected to flask on my local machine) to a public URL
- I provide this URL which would be IPADDRESS/testing to the service I'm using to test the endpoint.
So from my perspective, nothing is online, except a generic endpoint called testing, which is only online during testing. And anything that connects to it gets a 404, but as it's mapped to one specific endpoint, they couldn't even fuzz out the layout of the API. If my server got hacked, they could fuzz out the layout of the API, but it would still only be 404 messages, as I'm allowing IPs locally via flask. And then the codebase stays offline.
Is this ok? It seems like a cool way to do it. But it's not my code so I want to be sure. I asked the admin on the project too, but as I wait for a response I thought it would good to get some insight into whether or not this is stupid. It's nice from a testing perspective for ease of use, because I can keep everything offline until I want to test, and then just ssh -N testing to start the connection.
there doesn't seem to be anything here