GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Blitz.js

Server-Side Request Forgery (SSRF) in Blitz.js typically manifests in RPC mutations or queries where user-controlled input is passed to data-fetching libraries like axios, node-fetch, or the native fetch API. Because Blitz runs on the server, an unvalidated URL allows an attacker to proxy requests through your application to scan internal networks, access cloud metadata services (like 169.254.169.254), or bypass firewalls.

The Vulnerable Pattern

import { resolver } from '@blitzjs/rpc';
import axios from 'axios';

// VULNERABLE: Direct injection of user-provided URL into a server-side request
export default resolver.pipe(async ({ webhookUrl }) => {
const response = await axios.get(webhookUrl);
return response.data;
});

The Secure Implementation

Fixing SSRF requires a 'Zero Trust' approach to external inputs. Use the native 'URL' constructor to parse input safely; never use custom regex. Implement a strict allowlist of domains. To defend against advanced SSRF (like DNS Rebinding), you should resolve the hostname to an IP and verify it is not in a private CIDR block (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1) before dispatching the request. Additionally, disabling redirects (maxRedirects: 0) prevents attackers from bypassing domain checks via a 302 redirect to an internal resource.

import { resolver } from '@blitzjs/rpc';
import axios from 'axios';
import { URL } from 'url';

const ALLOWED_DOMAINS = [‘api.partner.com’, ‘webhooks.service.io’];


export default resolver.pipe(async ({ webhookUrl }) => {
const parsedUrl = new URL(webhookUrl);


// 1. Protocol Enforcement: Only allow HTTPS
if (parsedUrl.protocol !== ‘https:’) {
throw new Error(‘Invalid protocol: Use HTTPS’);
}


// 2. Domain Whitelisting: Only allow known-good hosts
if (!ALLOWED_DOMAINS.includes(parsedUrl.hostname)) {
throw new Error(‘Unauthorized destination host’);
}


// 3. Prevent internal IP access and set timeouts
const response = await axios.get(webhookUrl, {
timeout: 3000,
maxRedirects: 0, // Prevent redirect-based SSRF
validateStatus: (status) => status === 200
});


return response.data;
});

System Alert • ID: 1585
Target: Blitz.js API
Potential Vulnerability

Your Blitz.js API might be exposed to SSRF (Server Side Request Forgery)

74% of Blitz.js apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X