GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Polka

SSRF (Server-Side Request Forgery) in Polka environments occurs when the application accepts a user-controlled URL to perform backend requests. Without validation, an attacker can coerce the server into scanning internal ports, hitting cloud metadata services like 169.254.169.254, or bypassing firewalls to access internal-only microservices.

The Vulnerable Pattern

const polka = require('polka');
const fetch = require('node-fetch');

polka()
.get(‘/proxy’, async (req, res) => {
const { target } = req.query;
// DANGER: No validation on ‘target’.
// Attacker can pass ‘http://localhost:6379’ or ‘http://169.254.169.254/latest/meta-data/’
const response = await fetch(target);
const data = await response.text();
res.end(data);
})
.listen(3000);

The Secure Implementation

The fix involves three layers of defense. First, use the native 'URL' constructor to parse input; this prevents bypasses using malformed strings. Second, enforce the 'https' protocol to stop attackers from using 'file://' or 'gopher://' schemes. Third, implement a strict hostname allowlist. For production-grade security, you should also resolve the hostname to an IP and verify it does not fall within private or loopback ranges (e.g., 10.0.0.0/8, 127.0.0.0/8) to mitigate DNS Rebinding attacks.

const polka = require('polka');
const fetch = require('node-fetch');
const { URL } = require('url');

const ALLOWED_HOSTS = [‘api.trusted-service.com’, ‘images.cdn.com’];


polka()
.get(‘/proxy’, async (req, res) => {
try {
const { target } = req.query;
const parsed = new URL(target);


  // 1. Protocol Whitelisting
  if (parsed.protocol !== 'https:') {
    res.statusCode = 400;
    return res.end('Only HTTPS is permitted.');
  }

  // 2. Domain Whitelisting
  if (!ALLOWED_HOSTS.includes(parsed.hostname)) {
    res.statusCode = 403;
    return res.end('Disallowed target host.');
  }

  const response = await fetch(parsed.href);
  const data = await response.text();
  res.end(data);
} catch (err) {
  res.statusCode = 400;
  res.end('Invalid URL or Request');
}


})
.listen(3000);

System Alert • ID: 9995
Target: Polka API
Potential Vulnerability

Your Polka API might be exposed to SSRF (Server Side Request Forgery)

74% of Polka apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X