AntiSSRFPolicy Class

Use Case

Use this class whenever you are accessing a URL that can belong to any domain or some untrusted domain.

This use case addresses two distinct security scenarios. For requests to external endpoints, the policy enforces that IP addresses are not internal or special-use addresses, preventing URLs from being abused to gain access to internal resources. For requests to backend resources, the policy blocks all IP addresses except for specific ranges that you expect to see, ensuring that URLs cannot be used to exfiltrate data to unauthorized destinations.

If you instead expect the URL to be an Azure Key Vault endpoint, see URIValidator.inAzureKeyVaultDomain.

If you instead expect the URL to be an Azure Storage endpoint, see URIValidator.inAzureStorageDomain.

If you instead expect the domain to be a specific, trusted domain, see URIValidator.inDomain.

Definition

The AntiSSRFPolicy allows you to customize security requirements for headers, IP addresses, and protocols. You can configure the policy using built-in settings or define your own custom rules. The policy then provides Node.js HTTP(S) agents that automatically enforce these security requirements on all outgoing requests made using those agents.

Constructors

Constructor	Description
AntiSSRFPolicy(PolicyConfigOptions)	Initializes a new instance of the `AntiSSRFPolicy` class with the specified initial configuration.

Properties

Property	Description
addXFFHeader	Determines whether to automatically add the `X-Forwarded-For` header to outgoing requests that don’t already include it.
allowedAddresses	List of IP networks that are explicitly allowed by the policy.
allowPlainTextHttp	Determines whether HTTPS is required or HTTP is allowed.
deniedAddresses	List of IP networks that are explicitly blocked by the policy.
deniedHeaders	List of headers that are forbidden from being included in outgoing requests.
denyAllUnspecifiedIPs	Determines whether all IP addresses should be blocked by default or only `deniedAddresses` should be blocked.
requiredHeaders	List of headers that are required to be present in outgoing requests.

Policy Customization Methods

Method	Description
addAllowedAddresses(string[])	Adds IP networks to be explicitly allowed by the policy.
addDeniedAddresses(string[])	Adds IP networks to be explicitly blocked by the policy.
addDeniedHeaders(string[])	Adds headers to be explicitly blocked by the policy.
addRequiredHeaders(string[])	Adds headers to be explicitly required by the policy.

Policy Use Methods

Method	Description
getHttpAgent(any)	Builds an `http.Agent` that will enforce the policy on all outgoing requests.
getHttpsAgent(any)	Builds an `https.Agent` that will enforce the policy on all outgoing requests.