As schools strive to provide a safe digital environment, the ingenuity of students often leads them to seek “workarounds.” One of the most common methods for bypassing content filters is the use of web proxies. For education leaders, understanding these tools is not just about enforcing rules; it is critical for your safeguarding duty and data protection strategy.

How web proxies work

A web proxy essentially is a self-appointed middleman that sits between a student’s device and the wider internet. When a student visits a proxy site, they aren’t accessing the rest of the web directly. Instead, they provide a URL to the proxy, which then goes out and fetches that content on their behalf. Because the proxy server is the one technically requesting the page, it effectively masks the school’s IP address with its own. This is the core of the problem for school filters: the network only sees a connection to the proxy server itself, which often hasn’t been flagged as restricted, rather than the blocked site the student is actually viewing.

Once the proxy receives the requested webpage, it displays the page within its own interface and back to the student’s browser. This could allow restricted content to slip through traditional URL blocks. For school safeguarding leaders, it creates a blind spot where a seemingly “safe” connection is actually a gateway to unmonitored and potentially harmful content.

The dangers of “free” proxies

While students see proxies as a tool for freedom, free proxy services are not only a safeguarding risk of students accessing harmful content, but can also bring vulnerabilities to the school network, including:

1. Data harvesting: Many free services monetise by collecting browsing data, including login credentials and session tokens.
2. Malware injection: These sites frequently inject malicious scripts or intrusive advertising into the rewritten pages.
3. Man-in-the-Middle (MitM) attacks: Proxies often strip HTTPS encryption. This allows the proxy provider to intercept sensitive data, from private messages to passwords if used on the same network.

Building your defence to proxy use

To mitigate the risks posed by proxies, we recommend a multi-layered approach to network management:

• Advanced DNS Filtering: Utilise services like Cisco Umbrella to block domains before they resolve. Ensure “Proxy Avoidance” and “Anonymiser” categories are strictly enforced.
• Endpoint Management: Deploy Managed Device Policies through tools like Microsoft Intune. This prevents students from manually changing DNS settings on their local machines to bypass network-level restrictions.
• SSL Inspection: Implementing deep packet inspection can help identify encrypted proxy traffic that standard filters might miss.