got-ssrf

Protect Got requests from SSRF

Usage no npm install needed!

<script type="module">
  import gotSsrf from 'https://cdn.skypack.dev/got-ssrf';
</script>

README

Welcome to got-ssrf 👋

CI Version Downloads

Protect Got requests from SSRF

🏠 Homepage

Why does this matter?

SSRF is the evil sibling to CSRF that essentially allows RCE against your backends: https://portswigger.net/web-security/ssrf.

This module automatically rejects all suchs requests so you can safely use got without even thinking about it.

Install

npm i got-ssrf

Usage

Note that this package is ESM-only; see https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c for what to do if you're using CJS (i.e. require()).

import { gotSsrf } from 'got-ssrf'

await gotSsrf(url) // automatically filters requests for safety

If you have any other plugins you want to "mix" got-ssrf with, see https://github.com/sindresorhus/got/blob/main/documentation/examples/advanced-creation.js for how to do so. Example:

import got from 'got'
import { gotSsrf } from 'got-ssrf'
import { gotInstance } from 'some-other-got-plugin'

const merged = got.extend(gotSsrf, gotInstance)

Run tests

npm test

Author

👤 Jane Jeon me@janejeon.dev

🤝 Contributing

Contributions, issues and feature requests are welcome!
Feel free to check issues page.

Show your support

Give a ⭐️ if this project helped you!

📝 License

Copyright © 2021 Jane Jeon me@janejeon.dev.
This project is LGPL-3.0 licensed.