Skip to main content

SSRF Protection

Server-Side Request Forgery (SSRF) is a security vulnerability where an attacker tricks a server into making requests to unintended locations. Pictify implements multiple layers of protection when rendering URLs or fetching data.

What is SSRF?

When Pictify renders a URL or fetches data for bindings, it makes HTTP requests on your behalf. Without protection, an attacker could potentially:
  • Access internal services (e.g., http://localhost:8080/admin)
  • Probe private networks (e.g., http://192.168.1.1)
  • Access cloud metadata (e.g., http://169.254.169.254)
  • Scan internal ports

Pictify’s Protections

1. URL Validation

All URLs are validated before requests are made:

2. Blocked IP Ranges

Requests to these IP ranges are blocked:

3. DNS Resolution Protection

Pictify resolves DNS before making requests and blocks if the resolved IP is in a blocked range:
This prevents DNS rebinding attacks where a domain initially resolves to a public IP but later resolves to a private IP.

4. Protocol Restrictions

Only HTTP and HTTPS protocols are allowed:

5. Redirect Following

Redirects are validated at each step:

Using URL Features Safely

Screenshot from URL

When rendering screenshots from URLs, Pictify validates the target:

Bindings with External Data

Bindings are created via the POST /bindings REST endpoint (the SDKs don’t wrap bindings). The same SSRF rules apply to the binding’s data URL:

HTML with External Resources

External resources in HTML are also validated:

Error Handling

When SSRF protection blocks a request, you’ll receive a clear error:

Best Practices for Your Application

Validate User Input

If your application passes user-provided URLs to Pictify, validate them first:

Use Allowlists

For user-provided URLs, consider using an allowlist:

Log Suspicious Activity

Monitor for potential SSRF attempts:

Frequently Asked Questions

Can I render localhost URLs?

No. Localhost and private network URLs are blocked for security. Use public URLs or upload your HTML content directly.

Can I render internal company sites?

Internal sites (private IPs, internal DNS) cannot be rendered. If you need to render internal content:
  1. Make the content publicly accessible (with authentication if needed)
  2. Use HTML directly instead of URL rendering

Why was my URL blocked?

Common reasons:
  • URL resolves to a private IP address
  • URL uses a non-HTTP(S) protocol
  • URL redirects to a blocked location
  • Domain is on a blocklist

Can I whitelist specific internal URLs?

For Enterprise customers, contact support to discuss custom URL allowlists for specific use cases.