Server-side request forgery | Critiq Docs

#Metadata

Rule ID: ts.security.ssrf
Severity: high
Confidence: 0.85
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: Not specified
Applies to: Not specified
Tags: network, rules-catalog, security, ssrf

#Why it matters

Request-controlled targets can force the server to call internal services, metadata endpoints, or attacker-controlled infrastructure.

#Remediation

Resolve URLs against a trusted allowlist, reject private hosts, and proxy outbound requests through a vetted server-side helper.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.ssrf.rule.yaml.

Back to registry Open rule in repository