Secured: Server-Side Request Forgery (SSRF) Mitigation Demo

🛡️ How SSRF Is Prevented Here

This demo demonstrates how to protect your server from SSRF attacks by:

  • Validating URLs against an allowlist of safe, public domains.
  • Rejecting URLs pointing to internal IP addresses or localhost.
  • Allowing only HTTP and HTTPS protocols.
  • Parsing URL and checking hostname/IP before fetching.

This ensures attackers cannot force your server to connect to internal or cloud metadata services.

How to test this mitigation:

  1. Fetch allowed public URLs like https://jsonplaceholder.typicode.com/posts/1.
  2. Try internal IPs like http://127.0.0.1 or http://localhost. These should be blocked.
  3. Test cloud metadata URLs (e.g., AWS http://169.254.169.254/latest/meta-data/), also blocked.
  4. Unsupported schemes (like ftp://) or malformed URLs are rejected.
  5. Observe error messages explaining denied requests.

Note: The server performs strict URL validation before making requests.

📡 Response

Enter a URL and submit to see the response here.