SSRF Protection
How CueAPI prevents Server-Side Request Forgery attacks on callback URLs.
Overview
Server-Side Request Forgery (SSRF) attacks trick a server into making requests to internal or sensitive endpoints. Since CueAPI sends webhooks to user-provided URLs, SSRF protection is critical.
What CueAPI blocks
Blocked IP ranges
| Range | Description |
|---|---|
127.0.0.0/8 | Loopback (localhost) |
10.0.0.0/8 | Private network |
172.16.0.0/12 | Private network |
192.168.0.0/16 | Private network |
169.254.0.0/16 | Link-local / cloud metadata |
0.0.0.0/8 | Unspecified |
100.64.0.0/10 | Carrier-grade NAT |
198.18.0.0/15 | Benchmarking |
::1/128 | IPv6 loopback |
fc00::/7 | IPv6 private |
fe80::/10 | IPv6 link-local |
Blocked hostnames
localhostmetadata.google.internalmetadata.internal
Blocked URL features
- Embedded credentials:
https://user:pass@host.comis rejected - Non-HTTPS schemes (in production):
http://,ftp://,file://,javascript:are rejected - No hostname: URLs without a hostname are rejected
How validation works
- Parse URL — extract scheme, hostname, credentials
- Check scheme — HTTPS required in production (HTTP allowed in development)
- Check credentials — reject
user:pass@host - Check hostname — reject blocked hostnames
- DNS resolution — resolve hostname to IP addresses
- Check IP ranges — reject if any resolved IP is in a blocked range
DNS rebinding protection
CueAPI resolves the hostname at validation time (when the cue is created) and checks all resolved IPs against blocked ranges. This prevents DNS rebinding attacks where a hostname initially resolves to a public IP but later resolves to a private IP.
Error responses
Invalid callback URLs return 400 invalid_callback_url:
json
{
"error": {
"code": "invalid_callback_url",
"message": "Callback URL resolves to blocked address range",
"status": 400
}
}