Expand description
AntiSSRF — Microsoft’s SSRF Prevention Library for Rust
A Rust implementation of Microsoft’s AntiSSRF library for preventing Server-Side Request Forgery (SSRF) attacks.
SSRF occurs when an attacker tricks a server into making requests to unintended destinations — typically internal services, cloud metadata endpoints, or restricted networks. This crate provides layered defenses against such attacks by validating URLs, IP addresses, headers, and redirect chains before any network request is issued.
§Architecture
The library is organized into three layers:
| Layer | Module | Purpose |
|---|---|---|
| Policy | policy | Configure blocking rules, allowlists, and required headers |
| Validation | uri_validator, cidr | Static checks for domains, CIDR ranges, and IP addresses |
| Network | network (reqwest feature) | reqwest middleware that enforces policy on every request and redirect |
§Quick Start
Build a policy that blocks all internal/sensitive IP ranges and then
wrap a reqwest client with enforcement middleware:
use antissrf::{AntiSSRFPolicy, PolicyConfigOptions};
use antissrf::network::reqwest_integration::AntiSSRFClientBuilder;
let policy = AntiSSRFPolicy::new(PolicyConfigOptions::ExternalOnlyLatest);
let client = AntiSSRFClientBuilder::new(policy)
.build_with_middleware()?;
// Any request to a forbidden IP (e.g. 169.254.169.254) is rejected
// before a TCP connection is opened.§Feature Flags
| Flag | Default | Description |
|---|---|---|
reqwest-integration | Yes | Enables network module with reqwest / reqwest-middleware / tower support |
Disable the default features if you only need static validation:
[dependencies]
antissrf = { version = "0.1.1", default-features = false }§Usage Patterns
§Static IP / CIDR validation
Use CIDRBlock and the constants in ip_address_ranges
directly when you don’t need a full policy:
use antissrf::CIDRBlock;
use antissrf::ip_address_ranges::RECOMMENDEDV1;
let imds = CIDRBlock::parse("169.254.169.254/32")?;
assert!(imds.contains("169.254.169.254".parse()?));
// Recommended set covers IMDS, WireServer, loopback, RFC 1918, etc.
let recommended: Vec<CIDRBlock> = RECOMMENDEDV1
.iter()
.map(|s| CIDRBlock::parse(s).unwrap())
.collect();§Domain allowlisting
URIValidator checks whether a URL belongs to a
trusted domain or an Azure service domain:
use antissrf::URIValidator;
assert!(URIValidator::in_domain("https://api.trusted.com/v1", &["trusted.com"]));
assert!(!URIValidator::in_azure_key_vault_domain("https://evil.com"));§Fine-grained policy configuration
AntiSSRFPolicy supports allowlists,
custom denylists, header enforcement, and protocol restrictions:
use antissrf::{AntiSSRFPolicy, PolicyConfigOptions, AntiSSRFError};
let mut policy = AntiSSRFPolicy::new(PolicyConfigOptions::ExternalOnlyLatest);
policy.set_allow_plaintext_http(false)?; // deny http://
policy.add_required_headers(&["X-Request-ID"])?;
policy.add_denied_headers(&["X-Internal-Auth"])?;
let mut headers = vec![
("X-Request-ID".to_string(), "abc123".to_string()),
];
assert!(policy.validate_request("https:", &mut headers)?);§Security Considerations
- Validate after DNS resolution — IP checks must be performed on resolved addresses, not on the original hostname, to catch DNS rebinding attacks.
- Re-validate every redirect — A benign initial URL may redirect to a
forbidden internal endpoint. The
networkmiddleware enforces this automatically. - IPv6 normalization — All IPv4 addresses are mapped to the IPv6-mapped
form (
::ffff:x.x.x.x) before CIDR checks. Ensure your allow/deny lists account for this. - Header case-insensitivity — Header names are compared case-insensitively per RFC 7230, but header values are compared exactly.
- Policy immutability — Once built, a policy cannot be modified (edit-lock). Create a new policy if requirements change.
§References
§Crate Map
| Module | Description |
|---|---|
policy | AntiSSRFPolicy — central configuration object |
error | AntiSSRFError — error variants with clear security semantics |
cidr | CIDRBlock — parsing and IP containment with IPv6 normalization |
ip_address_ranges | Static constants for RFC special-purpose IP ranges |
domains | Azure cloud domain suffixes |
uri_validator | URIValidator — domain and Azure service validation |
network | reqwest middleware integration |
Re-exports§
pub use cidr::CIDRBlock;pub use error::AntiSSRFError;pub use policy::AntiSSRFPolicy;pub use policy::PolicyConfigOptions;pub use uri_validator::URIValidator;
Modules§
- cidr
- CIDR block parsing and IP range containment for AntiSSRF protection.
- domains
- Well-known Azure service domains for URL validation.
- error
- Error types for AntiSSRF operations.
- ip_
address_ ranges - Static IP address ranges for AntiSSRF protection.
- network
- reqwest integration for AntiSSRF protection.
- policy
- Policy configuration and request validation.
- uri_
validator - URL and domain validation utilities for AntiSSRF protection.
Type Aliases§
- Result
- Result type alias for AntiSSRF operations.