New Research: Supply Chain Attack on Axios Pulls Malicious Dependency from npm.Details
Socket
Book a DemoSign in
Socket
Book a DemoSign in

dssrf

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

dssrf

SSRF defense library for Node.js with safe URL validation utilities.

latest
Source
npmnpm
Version
1.0.2
Version published
Weekly downloads
2K
-36.56%
Maintainers
1
Weekly downloads
 
Created
Source

dssrf — Safe‑by‑Construction SSRF Defense for Node.js

npm version npm downloads License: MIT Security Dependencies Maintainability CodSpeed Contributions welcome Snyk Security SLSA Level Install size Open Source Helpers Contributors

dssrf is a priotized security‑first URL and network validation library designed to eliminate entire classes of SSRF vulnerabilities - from basic bypasses to extremely advanced bypass techniques used in real‑world attacks.

It provides a small set of strict, deterministic, safe‑by‑construction functions that developers can use to validate untrusted URLs before making outbound requests.

If you only use the global function is_url_safe(), your application benefit all of those SSRF protections by default.

Features

  • Unicode normalization (NFKC) to prevent homoglyph attacks.
  • Strict IPv4 validation
    • exactly 4 octets
    • no leading zeros
    • no short forms
    • no decimal/hex/octal/binary encodings
  • IPv6 Denied completly
  • Backslash and slash normalization
  • Userinfo the at symbol stripped
  • Scheme normalization and allowlisting
  • DNS resolution with internal IP detection and DNS Rebiding detection
  • Redirect safety

Installation and Usage

npm install dssrf

And in your web js app add

import { is_url_safe } from "dssrf";

const url = await is_url_safe("https://example.com");

if (!url) {
  throw new Error("SSRF attempt Detected.");
}

or for CommonJS style

const dssrf = require("dssrf");

const url = await dssrf.is_url_safe("https://example.com");

if (!url) {
  throw new Error("SSRF attempt Detected.");
}

Contributions

All contributions are welcome under the MIT license to me.

Warning

  • Redirect Safety By default, is_redirect_safe() will not make outbound requests unless you explicitly enable it with the environment variable DSSRF_MAKE_REQUEST=1. - When disabled, You loose redirect safety. - When enabled, dssrf performs controlled HTTP requests (HEAD with followRedirect: false) to inspect Location headers hop‑by‑hop. - This ensures accurate redirect validation but may expose your server's IP address and timing externally. Use only in environments where outbound validation traffic is acceptable, I recommend disabling it becauses expose your server ip and can cause slowdown and also port scanning/service discovery instead disable following redirects in your http client.

Keywords

ssrf
safe-http
secure-url
nodejs
web-security

FAQs

Package last updated on 13 Jan 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Don't Kill the Goose That Lays the Golden Eggs

Security News

Don't Kill the Goose That Lays the Golden Eggs

Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.

By Sarah Gooding  -  Apr 10, 2026
Feross on TBPN: How North Korea Hijacked Axios

Security News

Feross on TBPN: How North Korea Hijacked Axios

Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.

By Sarah Gooding  -  Apr 08, 2026