Proposal: Opt-in Public Url Subset

Summary

In order to limit possible security vulnerabilities, we will make a single url sub-space which will be exposed outside the VPC, and all other urls will only be accessible inside the VPC.

Details

At the hosting layer (AWS VPC), requests from outside the VPC to any url not in the /public prefix will return a 404. This will be enabled by default on all new IDAs, and will be rolled out on existing IDAs as teams have the bandwidth to adjust their URLs.

In order to make OpenEdX deployment easier, IDAs should continue to use correct authentication and authorization for all URLs.