Expand description
SSRF (Server-Side Request Forgery) defense helpers.
Canonical IP-classification logic shared by every outbound HTTP client in the workspace. Centralising this prevents drift between crates (e.g. one allowing ULA, another not) and makes the rule set auditable in one place.
Blocking policy:
- IPv4: private, loopback, link-local, broadcast, multicast, unspecified, 0.0.0.0/8, CGN (100.64.0.0/10), benchmark (198.18.0.0/15), reserved future-use (240.0.0.0/4)
- IPv6: loopback, multicast, unspecified, ULA (fc00::/7), link-local (fe80::/10), deprecated site-local (fec0::/10)
Public, routable addresses always return false. Domain-name validation
is the caller’s responsibility — this helper operates on IpAddr.
Enums§
- Ssrf
Policy - SSRF validation policy for outbound HTTP clients.
Functions§
- is_
ssrf_ blocked_ ip - Returns
trueifipbelongs to a network that must NOT be reached by an outbound HTTP client in this workspace.