dssrf — Safe‑by‑Construction SSRF Defense for Node.js

dssrf is a priotized security‑first URL and network validation library designed to eliminate entire classes of SSRF vulnerabilities - from basic bypasses to extremely advanced bypass techniques used in real‑world attacks.

It provides a small set of strict, deterministic, safe‑by‑construction functions that developers can use to validate untrusted URLs before making outbound requests.

If you only use the global function is_url_safe(), your application benefit all of those SSRF protections by default.

---

Features

• Unicode normalization (NFKC) to prevent homoglyph attacks.
• Strict IPv4 validation
  • exactly 4 octets
  • no leading zeros
  • no short forms
  • no decimal/hex/octal/binary encodings
• IPv6 Denied completly
• Backslash and slash normalization
• Userinfo the at symbol stripped
• Scheme normalization and allowlisting
• DNS resolution with internal IP detection and DNS Rebiding detection
• Redirect safety

---

Installation and Usage

npm install dssrf

And in your web js app add

import { is_url_safe } from "dssrf";

const url = await is_url_safe("https://example.com");

if (!url) {
  throw new Error("SSRF attempt Detected.");
}

or for CommonJS style

const dssrf = require("dssrf");

const url = await dssrf.is_url_safe("https://example.com");

if (!url) {
  throw new Error("SSRF attempt Detected.");
}

Contributions

All contributions are welcome under the MIT license to me.

Warning

• Redirect Safety By default, is_redirect_safe() will not make outbound requests unless you explicitly enable it with the environment variable DSSRF_MAKE_REQUEST=1. - When disabled, You loose redirect safety. - When enabled, dssrf performs controlled HTTP requests (HEAD with followRedirect: false) to inspect Location headers hop‑by‑hop. - This ensures accurate redirect validation but may expose your server's IP address and timing externally. Use only in environments where outbound validation traffic is acceptable, I recommend disabling it becauses expose your server ip and can cause slowdown and also port scanning/service discovery instead disable following redirects in your http client.

Support DSSRF

DSSRF has reached 12K downloads and is trusted by the community (OWASP listed, starred by BitBuilder Cloud, verified clean by Snyk).
If you find DSSRF useful, consider sponsoring to help sustain development:

• Patreon
• OpenCollective
• Ko‑fi

Support DSSRF with Bitcoin

DSSRF has reached 12K downloads and is trusted by the community (OWASP listed, starred by BitBuilder Cloud, verified clean by Snyk).
If you’d like to support development with Bitcoin, you can send donations to:

BTC Addresses (SegWit bech32):

• bc1qeqct6n3kncynvdjls4yv9r6patpfcufp24gvk3

• bc1q6k2mfrd3qsttw43zg5dnuvlmdscfa8pgvkxw9f

• bc1qvgqnfr3znuqyaatm06ggftjxn0zx3unw5taa3h

• bc1qclj339c45s67w2q8ljwasef27qfcla9tdnmt07

(More addresses available on request — these are derived from the project’s wallet for rotation and privacy.)

You can also use bitcoin Lightning Network payment link lnurlp://mainnet.demo.btcpayserver.org/BTC/UILNURL/2EYDhcF83tdF1Uadtr269Kn88Mxm1P4DpCSACspNasst/pay?currency=USD.

Or via scan the qr code, in your mobile app via