dssrf — Safe‑by‑Construction SSRF Defense for Node.js

![npm version](https://www.npmjs.com/package/dssrf)
![npm downloads](https://www.npmjs.com/package/dssrf)
![License: MIT](LICENSE)
![Security](#warning)
![Dependencies](package.json)
![Maintainability](https://codeclimate.com/github/HackingRepo/dssrf-js)
![CodSpeed](https://codspeed.io/HackingRepo/dssrf-js?utm_source=badge)
![Contributions welcome](#contributions)
![Snyk Security](https://snyk.io/test/github/HackingRepo/dssrf-js)
![SLSA Level](https://github.com/HackingRepo/dssrf-js)
![Install size](https://packagephobia.com/result?p=dssrf)
![Open Source Helpers](https://www.codetriage.com/hackingrepo/dssrf-js)
![Contributors](https://github.com/HackingRepo/dssrf-js/graphs/contributors)

dssrf is a priotized security‑first URL and network validation library designed to eliminate entire classes of SSRF vulnerabilities - from basic bypasses to extremely advanced bypass techniques used in real‑world attacks.

It provides a small set of strict, deterministic, safe‑by‑construction functions that developers can use to validate untrusted URLs before making outbound requests.

If you only use the global function is_url_safe(), your application benefit all of those SSRF protections by default.

---

Features

- Unicode normalization (NFKC) to prevent homoglyph attacks.
- Strict IPv4 validation
- exactly 4 octets
- no leading zeros
- no short forms
- no decimal/hex/octal/binary encodings
- IPv6 Denied completly
- Backslash and slash normalization
- Userinfo the at symbol stripped
- Scheme normalization and allowlisting
- DNS resolution with internal IP detection and DNS Rebiding detection
- Redirect safety

---

Installation and Usage

bash

npm install dssrf





And in your web js app add

js

import { is_url_safe } from "dssrf";



const url = await is_url_safe("https://example.com");



if (!url) {

  throw new Error("SSRF attempt Detected.");

}





or for CommonJS style

js

const dssrf = require("dssrf");



const url = await dssrf.is_url_safe("https://example.com");



if (!url) {

  throw new Error("SSRF attempt Detected.");

}





Contributions



All contributions are welcome under the MIT license to me. 



Warning



- Redirect Safety By default,

is_redirect_safe() will not make outbound requests unless you explicitly enable it with the environment variable DSSRF_MAKE_REQUEST=1. - When disabled, You loose redirect safety. - When enabled, dssrf performs controlled HTTP requests (HEAD with followRedirect: false) to inspect Location` headers hop‑by‑hop. - This ensures accurate redirect validation but may expose your server's IP address and timing externally. Use only in environments where outbound validation traffic is acceptable, I recommend disabling it becauses expose your server ip and can cause slowdown and also port scanning/service discovery instead disable following redirects in your http client.

Installation and Usage

bash
npm install dssrf

And in your web js app add

js
import { is_url_safe } from "dssrf";

const url = await is_url_safe("https://example.com");

if (!url) {
throw new Error("SSRF attempt Detected.");
}

or for CommonJS style

js
const dssrf = require("dssrf");

const url = await dssrf.is_url_safe("https://example.com");

if (!url) {
throw new Error("SSRF attempt Detected.");
}

Contributions

All contributions are welcome under the MIT license to me.

Warning

- Redirect Safety By default,

will not make outbound requests unless you explicitly enable it with the environment variable

. - When disabled, You loose redirect safety. - When enabled,

performs controlled HTTP requests (HEAD with

) to inspect