# Server-Side Request Forgery (SSRF)

- ID: python-ssrf
- Severity: HIGH
- CWE: Server-Side Request Forgery (CWE-918)
- Languages: Python
- Frameworks: flask, django, fastapi

## Description

Detects user input controlling URLs in HTTP requests, allowing requests to
arbitrary destinations including internal services and cloud metadata endpoints.

## Remediation

Validate URLs against an allowlist of permitted domains.

```python
from urllib.parse import urlparse

ALLOWED_DOMAINS = {"api.github.com", "api.example.com"}
parsed = urlparse(user_url)
if parsed.hostname not in ALLOWED_DOMAINS:
    return "Invalid domain", 400
```

Learn more: https://shoulder.dev/learn/python/cwe-918/ssrf

## Documentation

[object Object]

## Related Rules

- **Server-Side Request Forgery (SSRF)** [HIGH]: 
- **SSRF in Next.js Server Actions** [HIGH]: 
- **Server-Side Request Forgery via HTTP Requests** [HIGH]: