pub fn safe_https_validator() -> UrlValidatorExpand description
Helper: default-deny HTTPS validator with SSRF protection.
Requires the https scheme, then rejects the URL when its host is —
or resolves to — a loopback, private, link-local, unique-local,
carrier-grade-NAT, broadcast, documentation, or unspecified address.
This is the default for ExternalLocationConfig::new because the
unary HTTP path resolves a client-supplied vgi_rpc.location
server-side; without this a client could pivot the server into
fetching https://169.254.169.254/... or an internal service.
Note: a hostname is resolved here and again at fetch time, so a
DNS-rebinding attacker could still slip through the gap. Pair this
with a redirect-free, size-capped fetcher (the bundled HttpFetcher
is both) and, for high-assurance deployments, an egress firewall.