How can we safely lock down a Facebook development environment tunneled out to the public internet?

We run a per developer development environment with each developer workstation ssh tunnelled out from our office to the public internet so we can test integration with Facebook canvas apps and facebook callbacks to our urls.

How can we limit access to this environment so Facebook servers can access our servers, cross domain authentication will work for our d开发者_开发知识库evelopers, but no random members of the public can stumble upon our development servers?

Currently the Facebook IP range is unknown, so we don't know where our open graph callbacks are coming from.

You can sandbox your application.

That way only administrators & developers of the application can interact & see the application.

You can make a change to your Facebook application to sandbox mode going to: https://developers.facebook.com/apps

In Edit settings page of the current application you choose Settings->Advanced->Sandbox Mode.