Skip to content

SSRF Protection

Server-Side Request Forgery (SSRF) is a critical vulnerability class where an application is tricked into making requests to internal or unintended network locations.

The URL Media Inspector implements a strict, multi-layer defense against SSRF.

How it Works

  1. DNS Resolution: Before initiating an HTTP connection, the target hostname is resolved to an IP address.
  2. IP Verification: The resolved IP address is verified against a strict denylist of internal networks.
  3. Connection Pinning: The HTTP request is established directly to the verified IP address using the original hostname in the Host header, preventing DNS rebinding attacks.

Blocked Ranges

The system strictly blocks connections to the following subnets:

  • 127.0.0.0/8 (Localhost)
  • 10.0.0.0/8 (Private Network)
  • 172.16.0.0/12 (Private Network)
  • 192.168.0.0/16 (Private Network)
  • 169.254.0.0/16 (AWS/GCP Metadata Service)
  • 0.0.0.0/8 (Current Network)

Handling Redirects

When follow_redirects is enabled, the SSRF verification process repeats for every hop in the redirect chain. If a remote server redirects to an internal IP, the request is immediately aborted with an SSRF_BLOCKED error code.

Infrastructure Documentation — Behavior-Driven, Schema-Governed