PHPackages jeffersongoncalves/laravel-ssrf-guard - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. jeffersongoncalves/laravel-ssrf-guard ActiveLibrary[HTTP & Networking](/categories/http) jeffersongoncalves/laravel-ssrf-guard ===================================== A Laravel package that protects outbound HTTP requests from SSRF (Server-Side Request Forgery): it validates that a URL's host resolves only to public IPs (denying private, reserved, loopback and link-local ranges by default), pins the connection to the validated IP to close the DNS-rebinding TOCTOU window, and performs safe GET requests that re-validate every redirect hop. 10PHPCI passing Since Jun 20Pushed today1 watchersCompare [ Source](https://github.com/jeffersongoncalves/laravel-ssrf-guard)[ Packagist](https://packagist.org/packages/jeffersongoncalves/laravel-ssrf-guard)[ RSS](/packages/jeffersongoncalves-laravel-ssrf-guard/feed)WikiDiscussions master Synced today READMEChangelog (2)DependenciesVersions (2)Used By (0) [![Laravel SSRF Guard](https://raw.githubusercontent.com/jeffersongoncalves/laravel-ssrf-guard/master/art/jeffersongoncalves-laravel-ssrf-guard.png)](https://raw.githubusercontent.com/jeffersongoncalves/laravel-ssrf-guard/master/art/jeffersongoncalves-laravel-ssrf-guard.png) Laravel SSRF Guard ================== [](#laravel-ssrf-guard) [![Latest Version on Packagist](https://camo.githubusercontent.com/31042dba7d7d56a2f4a8fc9c420b69ce76c60a2c6a982473af82c781ceffa9de/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d737372662d67756172642e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/jeffersongoncalves/laravel-ssrf-guard)[![GitHub Tests Action Status](https://camo.githubusercontent.com/934aeebe592b9ad824c872fc3c7b7d147da592d36223edffcf3fce0e80d5de86/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d737372662d67756172642f72756e2d74657374732e796d6c3f6272616e63683d6d6173746572266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://github.com/jeffersongoncalves/laravel-ssrf-guard/actions?query=workflow%3Arun-tests+branch%3Amaster)[![GitHub Code Style Action Status](https://camo.githubusercontent.com/f9508f46b76d82a3553c2b0e6b6e571c859a3340a41d96b77e0e90da7229a163/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d737372662d67756172642f6669782d7068702d636f64652d7374796c652d6973737565732e796d6c3f6272616e63683d6d6173746572266c6162656c3d636f64652532307374796c65267374796c653d666c61742d737175617265)](https://github.com/jeffersongoncalves/laravel-ssrf-guard/actions?query=workflow%3A%22Fix+PHP+code+styling%22+branch%3Amaster)[![Total Downloads](https://camo.githubusercontent.com/528edd9f5eeedf99d828cabd25f540a41bed9f053f07099df8f13b1540ceca40/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d737372662d67756172642e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/jeffersongoncalves/laravel-ssrf-guard) Whenever your application fetches a URL that came from a user — an avatar URL, a webhook target, a link preview, an imported `og:image` — it can be tricked into reaching **internal** services instead: `http://localhost`, `http://10.0.0.1`, or the cloud metadata endpoint `http://169.254.169.254`. That is **Server-Side Request Forgery (SSRF)**. Laravel SSRF Guard makes fetching untrusted URLs safe. It: - validates that a URL's host resolves **only** to public IP addresses, denying private, reserved, loopback and link-local ranges by default (both IPv4 `A` and IPv6 `AAAA` records); - **pins** the connection to the validated IP via curl's `CURLOPT_RESOLVE`, closing the DNS-rebinding (TOCTOU) window where a domain flips to an internal IP between validation and connection; - performs a safe `GET` that follows redirects but **re-validates every hop**, so a public host cannot `302` you into an internal one. Installation ------------ [](#installation) You can install the package via composer: ``` composer require jeffersongoncalves/laravel-ssrf-guard ``` You can publish the config file with: ``` php artisan vendor:publish --tag="ssrf-guard-config" ``` This is the published config file: ``` return [ 'timeout' => (int) env('SSRF_GUARD_TIMEOUT', 8), 'max_redirects' => (int) env('SSRF_GUARD_MAX_REDIRECTS', 3), 'allowed_schemes' => ['http', 'https'], 'allow_private' => (bool) env('SSRF_GUARD_ALLOW_PRIVATE', false), ]; ``` Usage ----- [](#usage) Resolve the guard from the container (it is registered as a singleton) or instantiate it directly. ### Check whether a URL is safe to fetch [](#check-whether-a-url-is-safe-to-fetch) ``` use JeffersonGoncalves\SsrfGuard\SsrfGuard; $guard = app(SsrfGuard::class); $guard->isPublicUrl('https://example.com'); // true $guard->isPublicUrl('http://127.0.0.1'); // false (loopback) $guard->isPublicUrl('http://10.0.0.1'); // false (private) $guard->isPublicUrl('http://169.254.169.254'); // false (link-local / metadata) $guard->isPublicUrl('ftp://example.com'); // false (scheme not allowed) ``` Use it to validate user input before storing or fetching it: ``` if (! app(SsrfGuard::class)->isPublicUrl($request->input('webhook_url'))) { abort(422, 'The URL must point to a public host.'); } ``` ### Fetch a URL safely [](#fetch-a-url-safely) `safeGet()` performs the pinned, redirect-re-validating request and returns a standard `Illuminate\Http\Client\Response`. It throws `JeffersonGoncalves\SsrfGuard\Exceptions\BlockedHostException` if the URL — or any redirect hop — is not public: ``` use JeffersonGoncalves\SsrfGuard\SsrfGuard; use JeffersonGoncalves\SsrfGuard\Exceptions\BlockedHostException; try { $response = app(SsrfGuard::class)->safeGet($untrustedUrl); $body = $response->body(); } catch (BlockedHostException $e) { report($e); // The URL pointed at a non-public host — refuse to proxy it. } ``` You can pass extra HTTP Client options; they are merged over the safe defaults: ``` $response = app(SsrfGuard::class)->safeGet($url, [ 'headers' => ['Accept' => 'image/*'], ]); ``` Important `safeGet()` guarantees the **transport** is not pointed at an internal host. It does not validate the **response body**. If you re-serve fetched content from your own origin (images, HTML), still validate the `Content-Type` and sanitize/transform the body to avoid stored XSS. ### Getting the curl resolve pin [](#getting-the-curl-resolve-pin) If you build your own request and just want the validated `CURLOPT_RESOLVE` entries, call `resolveEntries()` — it returns `null` for any non-public/unsupported URL: ``` $resolve = app(SsrfGuard::class)->resolveEntries('https://example.com'); // ['example.com:443:93.184.216.34'] (or null if not public) ``` Configuration ------------- [](#configuration) KeyDefaultDescription`timeout``8`Maximum seconds a `safeGet()` request may run.`max_redirects``3`How many redirect hops to follow — each one is re-validated.`allowed_schemes``['http', 'https']`Schemes considered valid; everything else is rejected.`allow_private``false`**DANGER** — when `true`, skips the private/reserved/loopback/link-local check. For local development only; never enable in production.Testing ------- [](#testing) ``` composer test ``` Changelog --------- [](#changelog) Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently. Contributing ------------ [](#contributing) Please see [CONTRIBUTING](.github/CONTRIBUTING.md) for details. Security Vulnerabilities ------------------------ [](#security-vulnerabilities) Please review [our security policy](../../security/policy) on how to report security vulnerabilities. Credits ------- [](#credits) - [Jèfferson Gonçalves](https://github.com/jeffersongoncalves) - [All Contributors](../../contributors) License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 22 — LowBetter than 21% of packages Maintenance65 Regular maintenance activity Popularity2 Limited adoption so far Community9 Small or concentrated contributor base Maturity13 Early-stage or recently created project Bus Factor1 Top contributor holds 83.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://avatars.githubusercontent.com/u/411493?v=4)[Jefferson Gonçalves](/maintainers/jeffersongoncalves)[@jeffersongoncalves](https://github.com/jeffersongoncalves) --- Top Contributors [![jeffersongoncalves](https://avatars.githubusercontent.com/u/411493?v=4)](https://github.com/jeffersongoncalves "jeffersongoncalves (5 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)") --- Tags composerhttp-clientjeffersongoncalveslaravellaravel-packagephpsecurityssrf ### Embed Badge ![Health badge](/badges/jeffersongoncalves-laravel-ssrf-guard/health.svg) ``` [![Health](https://phpackages.com/badges/jeffersongoncalves-laravel-ssrf-guard/health.svg)](https://phpackages.com/packages/jeffersongoncalves-laravel-ssrf-guard) ``` ### Alternatives [php-http/cache-plugin PSR-6 Cache plugin for HTTPlug 25025.5M80](/packages/php-http-cache-plugin)[illuminate/http The Illuminate Http package. 11937.2M6.5k](/packages/illuminate-http)[rdkafka/rdkafka A PHP extension for Kafka 2.2k20.0k1](/packages/rdkafka-rdkafka)[httpsoft/http-message Strict and fast implementation of PSR-7 and PSR-17 87930.4k113](/packages/httpsoft-http-message)[mezzio/mezzio-router Router subcomponent for Mezzio 265.3M84](/packages/mezzio-mezzio-router)[serpapi/google-search-results-php Get Google, Bing, Baidu, Ebay, Yahoo, Yandex, Home depot, Naver, Apple, Duckduckgo, Youtube search results via SerpApi.com 69122.6k](/packages/serpapi-google-search-results-php) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)