nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 like you mentioned, resolving DNS and inspecting the records is the only full-proof way. You’d want to disable the aws/gcp metadata endpoints, 127.0.0.1/localhost, and maybe even all RFC1918 addresses.

The cheating way is to not do any of that and allow arbitrary GETs, BUT fix the issue elsewhere. Disable metadata api (and put a check at program startup), don’t run unauthenticated local services, make the result blind (so the ssrf can’t be used as an intranet port scanner)