SSRF Guard for Laravel
Installation
Installation
composer require cboxdk/laravel-ssrf
The SsrfServiceProvider is auto-discovered — no manual registration. Out of the
box it enforces a secure-by-default policy (public unicast only, http/https only,
DNS pinning on).
Publish the config (optional)
php artisan vendor:publish --tag=ssrf-config
This writes config/ssrf.php, where you can adjust:
| Key | Purpose |
|---|---|
allowed_schemes |
URL schemes permitted (default http, https) |
enforce |
Master switch; false skips DNS/IP checks (on-prem installs) |
pin_dns |
Pin the connection to resolved IPs (default true) |
blocked_hosts |
Exact hostnames to refuse |
blocked_host_suffixes |
Host suffixes to refuse (.internal, .local, …) |
blocked_ips |
Individual addresses to refuse (cloud metadata) |
blocked_cidrs |
CIDR ranges to refuse (private/reserved/transition) |
Environment overrides: SSRF_ENFORCE.
Requirements
- PHP
^8.4 - Laravel 12 (
illuminate/*^12)
ext-curl is recommended: DNS pinning uses CURLOPT_RESOLVE, so without the cURL
handler the guard still validates and disables redirects but cannot pin the socket.