# SSRF Prevention and Server-Side Protections One-sentence definition: Stop server-side fetches from reaching internal metadata or sensitive services. ## Key Facts - Disallow arbitrary URLs; allowlist domains/paths; resolve and re-check IPs. - Block IP ranges (localhost, RFC1918, link-local, metadata endpoints). - Force egress via proxy with auth; strip headers; constrain methods. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Recognize metadata endpoint risk and allowlist requirement. **Mnemonic:** “**Don’t fetch strangers**.” ## Mini Scenario Q: Image fetcher gets `http://169.254.169.254/`—risk? A: Cloud metadata theft; block with allowlists and egress proxy. ## Revision Checklist - Allowlist vs blocklist for SSRF. - Egress control. - IP re-check reason. ## Related [[API Security Fundamentals (REST GraphQL gRPC)]] · [[Secure HTTP Headers (HSTS Frame Ancestors CORS)]] · [[File Upload Security and Path Traversal]] · [[Secure Error Handling and Logging for Apps]] · [[Domain 8 - Index]]