# Server-Side Request Forgery via HTTP Requests

- ID: javascript-ssrf
- Severity: HIGH
- CWE: Server-Side Request Forgery (CWE-918)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects user input flowing into HTTP request functions without URL validation.

## Detection Message

Untrusted input from {source} reaches HTTP request at {sink}.
This allows an attacker to make server-side requests to internal services or cloud metadata endpoints.

## Remediation

Validate URLs against an allowlist of permitted domains before making requests.

```javascript
const url = new URL(userInput);
if (ALLOWED_DOMAINS.includes(url.hostname)) {
  axios.get(userInput);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-918/ssrf

## Documentation

[object Object]

## Related Rules

- **Server-Side Request Forgery (SSRF)** [HIGH]: 
- **SSRF in Next.js Server Actions** [HIGH]: 
- **Server-Side Request Forgery (SSRF)** [HIGH]: