SSRF (Server-Side Request Forgery)

An attack where an attacker manipulates a server into issuing HTTP requests to internal resources — such as cloud metadata endpoints, internal APIs, or databases — that should not be reachable from the public internet. SSRF exploits features like URL fetching, webhooks, and PDF generation that allow user-supplied URLs. Mitigations include allowlist validation of URLs, blocking RFC 1918 address ranges, and using egress firewalls to restrict outbound server traffic.