Comment by AaronFriel
4 years ago
That's what I did at my last role, and it was made infinitely easier because I was the first engineer and it was greenfield development.
Our backend used a combination of network policies to only allow outbound TCP connections to a handful of forward proxies, each of which was one simple, easy to verify nginx server that forwarded to https://saas.service.example.com.
And on days when we learned of new supply chain vulnerabilities, we didn't have a security incident.
I implemented this on a companies network in mid 2000's
all browser traffic went through extremely locked down secured proxy
all applications on the OS (bar browser) was routed to different set of proxies with only whitelisted IP addresses over VPNs/ leased lines/ MPLS
any data that tried to get out from a PC not in the above whitelist was flagged and investigated