Smokescreen is a HTTP CONNECT proxy. It proxies most traffic from Stripe to the external world (e.g., webhooks).
Smokescreen restricts which URLs it connects to:
It uses a pre-configured hostname ACL to only allow requests addressed to certain allow-listed hostnames, to ensure that no malicious code is attempting to make requests to unexpected services.
It also resolves each domain name that is requested, and ensures that it is a publicly routable IP address and not an internal IP address. This prevents a class of attacks where, for instance, our own webhooks infrastructure is used to scan Stripe’s internal network. Smokescreen can also be further configured to allow or deny specific IP addresses or ranges.
https://github.com/stripe/smokescreen
Smokescreen is a HTTP CONNECT proxy. It proxies most traffic from Stripe to the external world (e.g., webhooks).
Smokescreen restricts which URLs it connects to:
It uses a pre-configured hostname ACL to only allow requests addressed to certain allow-listed hostnames, to ensure that no malicious code is attempting to make requests to unexpected services. It also resolves each domain name that is requested, and ensures that it is a publicly routable IP address and not an internal IP address. This prevents a class of attacks where, for instance, our own webhooks infrastructure is used to scan Stripe’s internal network. Smokescreen can also be further configured to allow or deny specific IP addresses or ranges.