GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Hapi

SSRF in Hapi.js environments typically manifests when user-controlled input is fed directly into HTTP client libraries like @hapi/wreck or axios. An attacker can exploit this to scan internal ports, access cloud metadata services (like 169.254.169.254), or pivot into the internal network. To kill SSRF, you need to enforce strict allowlisting, validate protocols, and prevent DNS rebinding or redirect-based bypasses.

The Vulnerable Pattern

const Wreck = require('@hapi/wreck');

server.route({
method: ‘GET’,
path: ‘/fetch-metadata’,
handler: async (request, h) => {
// UNSAFE: Direct use of user-supplied URL
const { targetUrl } = request.query;
try {
const { payload } = await Wreck.get(targetUrl);
return payload;
} catch (err) {
return h.response(‘Error’).code(500);
}
}
});

The Secure Implementation

The secure implementation utilizes the native URL constructor to parse input and enforce a strict HTTPS-only policy. It validates the hostname against a hardcoded allowlist, preventing access to localhost or internal IP ranges. Crucially, it sets 'redirects: 0' in Wreck to prevent attackers from using a trusted domain to redirect the server to an internal resource (e.g., 302 redirect to http://127.0.0.1). For high-security environments, pair this logic with a custom DNS resolver or a proxy agent that blocks RFC 1918 private IP ranges at the network level.

const Wreck = require('@hapi/wreck');
const { URL } = require('url');

const ALLOWED_DOMAINS = [‘trusted-api.com’, ‘cdn.example.com’];


server.route({
method: ‘GET’,
path: ‘/fetch-metadata’,
handler: async (request, h) => {
const { targetUrl } = request.query;
try {
const parsed = new URL(targetUrl);


        // 1. Protocol Enforcement
        if (parsed.protocol !== 'https:') {
            return h.response('Insecure protocol').code(400);
        }

        // 2. Domain Allowlisting
        if (!ALLOWED_DOMAINS.includes(parsed.hostname)) {
            return h.response('Untrusted destination').code(403);
        }

        // 3. Prevent Redirect Bypasses & Set Timeouts
        const { payload } = await Wreck.get(targetUrl, {
            redirects: 0,
            timeout: 2000,
            headers: { 'User-Agent': 'Hapi-Secure-Proxy' }
        });
        
        return payload;
    } catch (err) {
        return h.response('Forbidden').code(403);
    }
}


});

System Alert • ID: 7983
Target: Hapi API
Potential Vulnerability

Your Hapi API might be exposed to SSRF (Server Side Request Forgery)

74% of Hapi apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X