ssrf

package
v0.11.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 19, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrPrivateIP is returned when a connection to a private or internal IP is blocked.
	ErrPrivateIP = errors.New("connection to private or internal IP address is not allowed")
	// ErrInvalidScheme is returned when a URL scheme is not http or https.
	ErrInvalidScheme = errors.New("URL must use http or https scheme")
	// ErrInvalidURL is returned when a URL is invalid.
	ErrInvalidURL = errors.New("invalid URL")
)

Functions

func NewSecureClient 

func NewSecureClient() *http.Client

NewSecureClient returns an HTTP client with SSRF protection. It validates resolved IPs at dial time to block connections to private and internal networks. Hostnames are resolved and the validated IP is used directly in the dial call to prevent DNS rebinding (TOCTOU between validation and connection). Redirects are disabled to match the webhook client convention and prevent redirect-based SSRF.

func ValidateIPBeforeDial 

func ValidateIPBeforeDial(ip net.IP) error

ValidateIPBeforeDial validates an IP address before establishing a connection. This prevents DNS rebinding attacks by checking the resolved IP at dial time.

func ValidateURL 

func ValidateURL(rawURL string) error

ValidateURL validates that a URL is safe to make requests to. It checks that the scheme is http/https, the hostname is not localhost, and all resolved IPs are public.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.