LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

How do you prevent Server-Side Request Forgery (SSRF)?

Don't let user input decide the destination URL; if you must, allowlist permitted domains, block internal IP ranges and cloud metadata endpoints, and segregate the network so outbound-fetching servers can't reach sensitive internals.

SSRF Countermeasures:

  1. No user-supplied input in URLs - Don't let users control destination URLs
  2. Whitelist-based input validation - Only allow specific, known-good URLs/domains
  3. Network segregation - Isolate servers that make outbound requests

Additional measures:

  • Block requests to internal IP ranges (10.x, 172.16.x, 192.168.x, 127.x)
  • Block cloud metadata endpoints
  • Use allowlist of permitted external domains
  • Disable unnecessary URL schemes (file://, gopher://)

From Quiz: SPRG / OWASP Top 10 | Updated: Jun 20, 2026