pub async fn guarded_get(
client: &Client,
url: &str,
extra_headers: &[(HeaderName, HeaderValue)],
) -> Result<Response>Expand description
Fetch a user-supplied URL through the full SSRF guard: scheme + IP checks on the initial URL and on every redirect hop, following redirects manually.
The passed client is used only as a policy reference; each hop is actually
sent through a freshly-built [pinned_client] whose DNS for the target host
is pinned to the exact IP that just passed [resolve_and_check] — so the
connect can’t be rebound onto an internal address between the check and the
TCP handshake.
extra_headers are applied to every hop (e.g. the conditional-GET
If-None-Match / If-Modified-Since validators). Returns the final
Response (headers only; the body is read separately via read_capped).
Err on a blocked scheme/address, an exhausted redirect budget, or a
transport error.