Ssrf Filter

Note: introduced in 1.2.0.

The :ssrf_filter plugin prevents server-side request forgery attacks, by blocking requests to the internal network. This is useful when the URLs used to perform requests aren’t under the developer control (such as when they are inserted via a web application form).

http = HTTPX.plugin(:ssrf_filter)

# this works
response = http.get("")

# this doesn't
response = http.get("http://localhost:3002")
response = http.get("http://[::1]:3002")
response = http.get("") # AWS instance metadata endpoint


This plugin is based on the ssrf_filter gem for net-http.

Next: Callbacks