GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Falcon

SSRF (Server-Side Request Forgery) in Falcon occurs when the application fetches a remote resource based on user-supplied URLs without proper validation. This allows attackers to pivot into internal networks, scan local ports, or exfiltrate sensitive cloud metadata (e.g., AWS IMDS). A 'hacker-style' fix requires more than just regex; it requires strict protocol enforcement and IP-level validation.

The Vulnerable Pattern

import falcon
import requests

class VulnerableProxy:
def on_get(self, req, resp):
# DANGER: Directly fetching user-supplied URL
target_url = req.get_param(‘url’)
if target_url:
r = requests.get(target_url, timeout=5)
resp.text = r.text
resp.status = falcon.HTTP_200


app = falcon.App()
app.add_route(‘/proxy’, VulnerableProxy())

The Secure Implementation

The secure implementation employs a defense-in-depth strategy. First, it enforces the 'https' scheme to prevent protocol smuggling (e.g., file:// or gopher://). Second, it uses a strict domain allowlist. Third, it performs manual DNS resolution to check the destination IP against private and reserved ranges, effectively neutralizing DNS rebinding attacks and preventing access to internal infrastructure or cloud metadata services. Finally, 'allow_redirects=False' is set in the request to prevent attackers from bypassing filters via 30x redirects.

import falcon
import requests
import socket
from urllib.parse import urlparse

ALLOWED_DOMAINS = [‘api.trusted-service.com’]


def validate_url(url):
try:
parsed = urlparse(url)
# 1. Enforce HTTPS only
if parsed.scheme != ‘https’:
return False
# 2. Domain Allowlist
if parsed.netloc not in ALLOWED_DOMAINS:
return False
# 3. Prevent DNS Rebinding / Internal IP access
ip_address = socket.gethostbyname(parsed.hostname)
if ip_address.startswith((‘127.’, ‘10.’, ‘192.168.’, ‘172.1’, ‘169.254.’)):
return False
return True
except Exception:
return False


class SecureProxy:
def on_get(self, req, resp):
target_url = req.get_param(‘url’)
if not target_url or not validate_url(target_url):
raise falcon.HTTPBadRequest(title=‘Invalid URL’, description=‘The provided URL is not allowed.’)


    r = requests.get(target_url, timeout=5, allow_redirects=False)
    resp.text = r.text
    resp.status = falcon.HTTP_200</code></pre>
System Alert • ID: 4317
Target: Falcon API
Potential Vulnerability

Your Falcon API might be exposed to SSRF (Server Side Request Forgery)

74% of Falcon apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X