Skip to content

Quickstart

Quickstart

Guard an outbound HTTP request

The Http::ssrf() macro validates the URL, pins the connection, and disables redirects — then it's the normal Laravel HTTP client:

use Illuminate\Support\Facades\Http;

$response = Http::ssrf($endpoint)
    ->withHeaders(['X-Signature' => $signature])
    ->post($endpoint, $payload);

If $endpoint is unsafe, the macro throws Cbox\Ssrf\Exceptions\BlockedUrl before any request is made. Catch it to turn it into a domain error:

use Cbox\Ssrf\Exceptions\BlockedUrl;

try {
    Http::ssrf($endpoint)->post($endpoint, $payload);
} catch (BlockedUrl $e) {
    // Log it; do not echo $e->getMessage() to an untrusted caller — it confirms
    // internal reachability.
    report($e);
}

Validate a user-supplied URL

Reject an unsafe URL at the edge, before you ever store it:

use Cbox\Ssrf\Rules\PublicUrl;

$data = $request->validate([
    'webhook_url' => ['required', 'url', new PublicUrl],
]);

That's it

Everything else — custom clients, browser-redirect validation, tuning the policy — builds on app(Cbox\Ssrf\Contracts\UrlGuard::class). See the Cookbook.