easy way is on the system use dns server with rebinding protection (most do) and just disable ipv6. that just leaves simple input validation for ipv4 rfc1918/link-local, could just block ipv4 urls completely
nostr:npub18994crjwnldrukwym5lz3y2nae84s84v20m2rkngtjnyg549lr6qvxmd6m question, how TF do I prevent SSRF without setting up an outbound proxy server? Doing DNS lookup I assume will destroy performance, and caching the lookup makes it vulnerable to timing attacks. The internet is broken
Discussion
nostr:npub1d0npefkxtfkcptjdawvwkfu58japhjfaljt4hqtpq2xqn8pt2nwqdjahqw nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 this is correct (and what I would recommend to a client/org) but this is a hard sell for FOSS projects where you don’t control the OS or network layer. Best OSS projects can do is include a bunch of init runtime checks for the vulns and warn that external (to the software) config changes need to be made for security.
Then you get 9,999 GitHub tickets asking “how do I enable DNS rebind protection for
Why disable IPv6? What security value does it offer?