Recipe: SSRF defense + URL filter
Prevent server-side request forgery by validating every outbound URL against a strict allowlist before your application makes a fetch.
Why SSRF matters
SSRF lets an attacker coerce your server into making requests to internal services, cloud metadata endpoints, or loopback addresses. Without a filter, any user-supplied URL becomes a pivot point.
The allowlist pattern
Maintain a static list of permitted schemes, hosts, and ports. Reject everything else before the request leaves your process. Block private IP ranges, link-local addresses, and the loopback interface explicitly.
const ALLOWED = [
"https://api.trusted-vendor.com",
"https://cdn.example.net",
];
function validateUrl(raw: string): URL {
const parsed = new URL(raw);
if (parsed.protocol !== "https:") throw 0;
if (!ALLOWED.includes(parsed.origin)) throw 0;
return parsed;
}DNS rebinding guard
Resolve the hostname once, then pin the connection to that IP. If your HTTP client supports it, use a custom dialer that reuses the resolved address so a second DNS lookup cannot redirect you mid-request.
Response clamping
Cap response size, timeout slow connections, and never pipe raw response bodies back to the caller. Parse and sanitize before forwarding any data.
This recipe is part of the Meridian defense cookbook. Combine it with the egress firewall recipe for defense in depth.