|
|
|
|
Show HN: Drawbridge – Drop-In SSRF Protection for Python
(github.com)
|
|
1 points
by logicx24
106 days ago
|
|
|
Drawbridge is a drop-in replacement for `requests` or `httpx` that provides comprehensive SSRF protection. For every request, it will:
1. Resolve DNS first with single getaddrinfo() call
2. Validate all IPs, and reject if any resolved address is private/reserved
3. Pin the connection by rewriting the URL to validated IP, and sets the Host header and TLS SNI to original hostname
4. Re-validates on each redirect hop. This blocks most SSRF attack methods: DNS rebinding, address obfuscation, and redirects. Also see our launch post here: https://tachyon.so/blog/ssrfs-trickiest-issue |
|
|