Quiz Entry - updated: 2026.06.20
How do you prevent Server-Side Request Forgery (SSRF)?
Don't let user input decide the destination URL; if you must, allowlist permitted domains, block internal IP ranges and cloud metadata endpoints, and segregate the network so outbound-fetching servers can't reach sensitive internals.
SSRF Countermeasures:
- No user-supplied input in URLs - Don't let users control destination URLs
- Whitelist-based input validation - Only allow specific, known-good URLs/domains
- Network segregation - Isolate servers that make outbound requests
Additional measures:
- Block requests to internal IP ranges (10.x, 172.16.x, 192.168.x, 127.x)
- Block cloud metadata endpoints
- Use allowlist of permitted external domains
- Disable unnecessary URL schemes (file://, gopher://)