Fix SSRF (Server Side Request Forgery) in SvelteKit

SSRF in SvelteKit occurs when the server-side 'load' functions or API routes (+server.js) fetch data from a user-supplied URL without validation. Since this code executes on the server, an attacker can force the application to make requests to internal services, metadata endpoints (like AWS 169.254.169.254), or local ports that are not exposed to the public internet. If you are using 'fetch' inside server-side files, you are the proxy.

The Vulnerable Pattern

export async function load({ url, fetch }) {
  const remoteUrl = url.searchParams.get('url');
  // CRITICAL: Directly fetching user-controlled input
  const response = await fetch(remoteUrl);
  return { content: await response.text() };
}

The Secure Implementation

To kill SSRF, you must implement a Zero-Trust approach to server-side fetching. First, use the 'URL' constructor to parse the input—never use regex or string manipulation which are prone to bypasses. Second, enforce the 'https:' protocol to prevent attackers from using 'file://', 'gopher://', or 'ftp://' schemes. Third, maintain a strict allowlist of hostnames. If you must allow arbitrary domains, you must resolve the IP and ensure it does not fall within private/reserved ranges (e.g., 10.0.0.0/8, 127.0.0.1, 169.254.169.254) before dispatching the request.

import { error } from '@sveltejs/kit';
const ALLOWED_HOSTS = [‘api.trusted-partner.com’, ‘cdn.myapp.com’];
export async function load({ url, fetch }) {
const remoteUrl = url.searchParams.get(‘url’);
if (!remoteUrl) throw error(400, ‘Missing URL’);
try {
const parsed = new URL(remoteUrl);
// 1. Enforce HTTPS only
if (parsed.protocol !== 'https:') {
  throw error(400, 'Only HTTPS allowed');
}

// 2. Strict Allowlist validation
if (!ALLOWED_HOSTS.includes(parsed.hostname)) {
  throw error(403, 'Destination not permitted');
}

const response = await fetch(parsed.href);
return { content: await response.text() };
} catch (e) {
throw error(400, ‘Invalid URL format’);
}
}