# DSSRF DefendAgainstSSRFAgainstMetadataEndpoint
In many cloud environments, virtual machines expose a special internal service that provides identity material and configuration details. On Google Cloud, this internal interface is reachable through a link‑local address and is intended only for trusted, local use. If an application unintentionally forwards user‑controlled URLs to this internal address, sensitive workload credentials may be exposed.
dssrf introduces a strict request‑validation layer for Node.js applications. Instead of allowing arbitrary destinations, it evaluates every outbound URL and rejects anything that resolves to internal network locations. This includes link‑local addresses, private ranges, IPv6 variants, and any hostname that ultimately maps to those spaces.
The library also blocks indirect paths such as multi‑step redirects or DNS tricks that attempt to disguise an internal target. By enforcing a predictable and tightly scoped outbound‑request policy, dssrf helps ensure that applications cannot be coerced into reaching internal cloud services.
For teams running software on Google Cloud, this provides an additional safeguard against accidental exposure of workload identity data. It is a lightweight way to reduce the attack surface around internal service endpoints.
Repository: https://github.com/HackingRepo/dssrf