A Capability‑Based Approach to Preventing Unintended Internal Requests in Node.js

[HackingRepo]

I’ve been working on an open‑source Node.js library called dssrf. It introduces a strict outbound‑request validation layer designed to prevent applications from unintentionally reaching internal service interfaces in hosted environments.

The library evaluates every destination before a connection is allowed and rejects anything that resolves to internal network locations, including link‑local and private ranges. It also blocks indirect paths such as multi‑step redirects or DNS tricks that attempt to disguise an internal target.

The goal is to provide a lightweight, safe‑by‑construction approach that reduces the risk of unintended access to internal cloud service endpoints. I’d appreciate any feedback, ideas for improvement, or edge cases worth exploring.

Repository: https://github.com/HackingRepo/dssrf-js