Proxy Security Best Practices

Using proxies adds a layer between your infrastructure and target sites, but it also introduces new attack surfaces. These best practices help you secure your proxy configuration, protect credentials, and prevent data leaks.

Credential Management

Never hardcode proxy credentials in source code. Use environment variables or a secrets manager:

# GOOD: Read from environment proxy_user = os.environ["HEX_PROXY_USER"] proxy_pass = os.environ["HEX_PROXY_PASS"] proxy_url = f"http://{proxy_user}:{proxy_pass}@gate.hexproxies.com:8080"

# BAD: Hardcoded credentials # proxy_url = "http://admin:secret123@gate.hexproxies.com:8080" ```

// Node.js: Read from environment
const proxyUrl = `http://${process.env.HEX_PROXY_USER}:${process.env.HEX_PROXY_PASS}@gate.hexproxies.com:8080`;

Secrets Manager Integration

# AWS Secrets Manager example
import boto3

def get_proxy_credentials(): client = boto3.client('secretsmanager') response = client.get_secret_value(SecretId='hex-proxy-credentials') secret = json.loads(response['SecretString']) return secret['username'], secret['password']

user, password = get_proxy_credentials() proxy = f"http://{user}:{password}@gate.hexproxies.com:8080" ```

DNS Leak Prevention

DNS leaks expose the domains you visit even when using a proxy. Prevent them by:

1. **Use SOCKS5h**: The `h` suffix routes DNS through the proxy.
2. **Disable WebRTC**: In browsers, WebRTC can leak your real IP.
3. **Verify with tests**: Run DNS leak tests after configuration.

# SOCKS5 with remote DNS (prevents leaks)

# Verify DNS is not leaking curl -x socks5h://user:pass@gate.hexproxies.com:1080 https://dnsleaktest.com ```

IP Allowlisting

If your source IPs are static (servers, CI/CD pipelines), use IP allowlisting instead of credentials:

• Eliminates credential exposure risk entirely.
• Simpler configuration (no username/password in URLs).
• Works best for server-to-server workflows.
• Configure allowlists in your Hex Proxies dashboard.

Traffic Encryption

Always use HTTPS for target URLs even when routing through a proxy. The proxy tunnels the encrypted connection without inspecting the content:

# GOOD: HTTPS target through proxy

# CAUTION: HTTP target -- proxy can see request content requests.get("http://example.com", proxies={"http": proxy_url}) ```

Audit Logging

Log proxy usage for security auditing without logging credentials:

logger = logging.getLogger("proxy_audit")

def audited_request(session, method, url, **kwargs): start = time.time() try: resp = session.request(method, url, **kwargs) elapsed = time.time() - start logger.info( "proxy_request", extra={ "url": url, "method": method, "status": resp.status_code, "elapsed_ms": round(elapsed * 1000), # Never log credentials "proxy_gateway": "gate.hexproxies.com", } ) return resp except Exception as e: logger.error("proxy_request_failed", extra={"url": url, "error": str(e)}) raise ```

Access Control

• **Principle of least privilege**: Give each team member or service only the proxy access they need.
• **Separate credentials**: Use different credentials for development, staging, and production.
• **Rotate regularly**: Change proxy passwords every 90 days or after any suspected exposure.
• **Monitor usage**: Watch for unusual traffic patterns that could indicate credential theft.

Security Checklist

- [ ] Credentials stored in environment variables or secrets manager
- [ ] No credentials in source code, logs, or error messages
- [ ] HTTPS used for all target URLs
- [ ] DNS leak prevention configured (socks5h or proxy DNS)
- [ ] IP allowlisting enabled for static source IPs
- [ ] Audit logging captures requests without credentials
- [ ] Credentials rotated every 90 days
- [ ] Separate credentials for each environment
- [ ] Access control follows least privilege principle
- [ ] Unusual traffic monitoring enabled