Skip To Content

Restricting the portal's proxy capability

In some scenarios, Portal for ArcGIS acts as a proxy server. This capability is used in the following situations:

  • You try to access a resource on a different domain than your portal and Cross Origin Resource Sharing (CORS) support is not available. CORS is a specification that allows a web server and a web browser to interact and determine if a cross-origin request should be allowed.
  • You try to share a secured resource with other users, but you want to hide the user credentials required to access the resource.

By default, the portal's proxy capability is unrestricted. As a result, the portal can be misused to launch Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks against any computer the portal machine can access. To mitigate this potential vulnerability, it's strongly recommended you restrict the portal's proxy capability by defining a list of approved web addresses. Portal for ArcGIS will only be able to proxy requests to the addresses in the list; all others are blocked. If you've federated ArcGIS Server with your portal, the list must contain the addresses of all machines in the site, as well as any resource that is shared as an item in the portal.

To define a list of approved addresses, follow the steps below.

  1. Open a web browser and sign in to the ArcGIS Portal Directory as an Administrator of your organization. The URL is formatted as
  2. Click Security > Config > Update Security Configuration.
  3. In the Configuration field, add the allowedProxyHosts property and specify the list of approved addresses, for example:
        "disableServicesDirectory": false,
        "enableAutomaticAccountCreation": false,
        "allowedProxyHosts": ","

    Use the format (.*) to allow proxy requests to all machines within a specified domain. Use wildcards (*) with caution; unauthorized users may inadvertently be granted access to restricted machines.

  4. Click Update Configuration.