What is SSRF (Server-Side Request Forgery)?

SSRF (Server-Side Request Forgery) is an attack where the attacker tricks the server into making HTTP requests to an attacker-specified target — typically internal systems inaccessible from the internet. Example: an application fetches a URL provided by users: fetch(req.params.url) — an attacker passes http://169.254.169.254/latest/meta-data/ (AWS metadata service) to steal IAM credentials. SSRF can expose: internal APIs, cloud metadata, internal databases, and allow port scanning of internal networks. Prevention: (1) Allowlist valid URL destinations — only allow known, trusted domains. (2) Block private IP ranges (10.x, 172.16.x, 192.168.x, 127.x, 169.254.x). (3) Disable HTTP redirects or validate the final destination after redirection. (4) Use a dedicated egress proxy. (5) Apply least privilege to outbound network access. SSRF was added to OWASP Top 10 2021 (#10) due to its prevalence in cloud environments.