[{"data":1,"prerenderedAt":225},["ShallowReactive",2],{"blog-glossary/ssrf":3},{"id":4,"title":5,"body":6,"category":201,"date":202,"dateModified":202,"description":203,"draft":204,"extension":205,"faq":206,"featured":204,"headerVariant":210,"image":211,"keywords":211,"meta":212,"navigation":213,"ogDescription":214,"ogTitle":211,"path":215,"readTime":216,"schemaOrg":217,"schemaType":218,"seo":219,"sitemap":220,"stem":221,"tags":222,"twitterCard":223,"__hash__":224},"blog/blog/glossary/ssrf.md","What is SSRF? Server-Side Request Forgery",{"type":7,"value":8,"toc":192},"minimark",[9,21,26,33,37,72,76,102,106,130,139,161,180],[10,11,12],"tldr",{},[13,14,15,16,20],"p",{},"SSRF (Server-Side Request Forgery) tricks your server into making requests to places it shouldn't. If your app fetches URLs provided by users, attackers can make it fetch internal resources like ",[17,18,19],"code",{},"http://localhost/admin"," or cloud metadata endpoints. Prevent it by validating and allowlisting URLs before fetching them.",[22,23,25],"h2",{"id":24},"the-simple-explanation","The Simple Explanation",[13,27,28,29,32],{},"You have a feature that imports images from URLs. A user gives you a URL, your server fetches it. An attacker provides ",[17,30,31],{},"http://169.254.169.254/latest/meta-data/"," (AWS metadata endpoint). Your server fetches it and returns cloud credentials. The server, sitting inside your network, can access things the attacker cannot directly reach.",[22,34,36],{"id":35},"common-ssrf-scenarios","Common SSRF Scenarios",[38,39,40,48,54,60,66],"ul",{},[41,42,43,47],"li",{},[44,45,46],"strong",{},"Image import:"," \"Provide a URL to import\"",[41,49,50,53],{},[44,51,52],{},"Webhooks:"," \"Send notifications to this URL\"",[41,55,56,59],{},[44,57,58],{},"URL preview:"," \"Fetch title and image from link\"",[41,61,62,65],{},[44,63,64],{},"PDF generation:"," \"Render this URL as PDF\"",[41,67,68,71],{},[44,69,70],{},"Proxy features:"," \"Fetch URL through our service\"",[22,73,75],{"id":74},"what-attackers-target","What Attackers Target",[38,77,78,84,90,96],{},[41,79,80,83],{},[44,81,82],{},"Cloud metadata:"," 169.254.169.254 (AWS, GCP, Azure)",[41,85,86,89],{},[44,87,88],{},"Internal services:"," localhost, 127.0.0.1, internal hostnames",[41,91,92,95],{},[44,93,94],{},"Private networks:"," 10.x.x.x, 192.168.x.x, 172.16.x.x",[41,97,98,101],{},[44,99,100],{},"Admin interfaces:"," Internal dashboards, databases",[22,103,105],{"id":104},"prevention","Prevention",[107,108,110,113,116,119,127],"prompt-box",{"title":109},"URL validation example",[13,111,112],{},"function isUrlAllowed(url) {\nconst parsed = new URL(url);",[13,114,115],{},"// Only allow HTTPS\nif (parsed.protocol !== 'https:') return false;",[13,117,118],{},"// Block private IPs and localhost\nconst ip = await resolveHostname(parsed.hostname);\nif (isPrivateIP(ip) || isLoopback(ip)) return false;",[13,120,121,122,126],{},"// Optional: allowlist specific domains\nconst allowed = ",[123,124,125],"span",{},"'example.com', 'trusted-cdn.com'",";\nif (!allowed.some(d => parsed.hostname.endsWith(d))) return false;",[13,128,129],{},"return true;\n}",[131,132,133],"warning-box",{},[13,134,135,138],{},[44,136,137],{},"DNS rebinding warning:"," Attackers can make a domain resolve to a public IP initially, then change to an internal IP. Validate the resolved IP, not just the hostname. Resolve the hostname yourself and check before fetching.",[140,141,142,149,155],"faq-section",{},[143,144,146],"faq-item",{"question":145},"What can attackers do with SSRF?",[13,147,148],{},"SSRF lets attackers access internal services not exposed to the internet, read cloud metadata endpoints (AWS 169.254.169.254), scan internal networks, bypass firewalls, and potentially execute code on internal systems. In cloud environments, metadata endpoints can expose credentials.",[143,150,152],{"question":151},"How do I prevent SSRF?",[13,153,154],{},"Use allowlists for permitted domains and IP ranges. Block requests to private IP ranges and localhost. Do not trust user input for URLs. Use a URL parser to validate the destination before making requests. Consider using a proxy service that validates destinations.",[143,156,158],{"question":157},"Where does SSRF commonly occur?",[13,159,160],{},"SSRF commonly occurs in features that fetch URLs: webhooks, image/file imports from URLs, PDF generators that render URLs, RSS feed readers, and any feature that takes a URL as input and fetches its content on the server side.",[162,163,164,170,175],"related-articles",{},[165,166],"related-card",{"description":167,"href":168,"title":169},"Related attack category","/blog/glossary/injection","Injection",[165,171],{"description":172,"href":173,"title":174},"How to prevent SSRF","/blog/glossary/validation","Validation",[165,176],{"description":177,"href":178,"title":179},"Additional protection layer","/blog/glossary/firewall","Firewall",[181,182,185,189],"cta-box",{"href":183,"label":184},"/","Start Free Scan",[22,186,188],{"id":187},"find-ssrf-vulnerabilities","Find SSRF Vulnerabilities",[13,190,191],{},"Scan your app for SSRF and other security issues.",{"title":193,"searchDepth":194,"depth":194,"links":195},"",2,[196,197,198,199,200],{"id":24,"depth":194,"text":25},{"id":35,"depth":194,"text":36},{"id":74,"depth":194,"text":75},{"id":104,"depth":194,"text":105},{"id":187,"depth":194,"text":188},"glossary","2026-01-12","Learn what SSRF vulnerabilities are, how attackers exploit them, and how to prevent your server from making unauthorized requests.",false,"md",[207,208,209],{"question":145,"answer":148},{"question":151,"answer":154},{"question":157,"answer":160},"green",null,{},true,"SSRF tricks your server into making requests to internal systems. Learn how to prevent it.","/blog/glossary/ssrf","4 min read","[object Object]","DefinedTerm",{"title":5,"description":203},{"loc":215},"blog/glossary/ssrf",[],"summary_large_image","jPFtelvkfoulIwFgR71zparwxbt2dRokPFsFr2oGJqo",1775843922201]