How to Fix Server-Side Request Forgery (SSRF) in SvelteKit
Learn how to prevent and fix Server-Side Request Forgery (SSRF) vulnerabilities in SvelteKit applications. Step-by-step guide with code examples, security checklists, and best practices.
What Is Server-Side Request Forgery (SSRF)?
Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can cause the server-side application to make HTTP requests to an arbitrary URL chosen by the attacker. The server becomes a proxy, making requests from its own network position, which typically has access to internal services, cloud metadata endpoints, and private network resources that are not directly accessible from the internet.
SSRF attacks exploit any server-side functionality that fetches remote resources based on user-supplied URLs. Common attack surfaces include: URL preview/unfurling features (link previews in chat applications); webhook configurations; file import from URL; PDF generation from URLs; image processing that fetches remote images; and API integrations where the target URL is user-controlled.
In cloud environments (AWS, GCP, Azure), SSRF is particularly dangerous because cloud metadata services (e.g., `http://169.254.169.254`) are accessible from the server and can expose temporary credentials, instance configurations, and secrets. The 2019 Capital One breach, which exposed 100 million records, was enabled by SSRF combined with overly permissive IAM roles.
Why It Matters
SSRF effectively gives attackers network access from the server's perspective. This can expose internal services that assume network-level trust (databases, caches, admin panels), cloud metadata endpoints containing credentials and configuration, private APIs and microservices not intended for external access, and resources behind firewalls or VPNs. In serverless environments, SSRF can access the function's IAM role credentials. The attack can be used for port scanning internal networks, accessing internal dashboards, reading local files (using file:// protocol), and pivoting deeper into the infrastructure.
How to Fix It in SvelteKit
Validate and sanitize all user-supplied URLs. Implement allowlists of permitted domains and IP ranges. Block requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) and cloud metadata endpoints (169.254.169.254). Use a DNS resolution step before making requests and validate the resolved IP is not internal. Disable unnecessary URL schemes (only allow http/https). Use network segmentation to limit the server's access to internal resources. Implement IMDSv2 on AWS instances to require token-based metadata access. Run URL-fetching operations in isolated network environments. For webhook features, validate the URL at configuration time and at request time (DNS rebinding prevention).
SvelteKit-Specific Advice
- Use `$env/static/private` and `$env/dynamic/private` for server-only secrets. Never import from `$env/static/public` for sensitive values.
- SvelteKit has built-in CSRF protection for form actions. Ensure you are using form actions rather than custom API endpoints for state-changing operations.
- Validate all data in `+server.ts` endpoints and `+page.server.ts` load functions. These are public-facing server endpoints.
- Use hooks (`hooks.server.ts`) for global authentication and authorization checks before requests reach route handlers.
SvelteKit Security Checklist for Server-Side Request Forgery (SSRF)
SvelteKit Security Best Practices
Use `$env/static/private` and `$env/dynamic/private` for server-only secrets. Never import from `$env/static/public` for sensitive values.
SvelteKit has built-in CSRF protection for form actions. Ensure you are using form actions rather than custom API endpoints for state-changing operations.
Validate all data in `+server.ts` endpoints and `+page.server.ts` load functions. These are public-facing server endpoints.
Use hooks (`hooks.server.ts`) for global authentication and authorization checks before requests reach route handlers.
Configure security headers in `svelte.config.js` or through hooks. SvelteKit does not set security headers by default.
Be cautious with `event.locals` -- data set here is available to all subsequent handlers in the request pipeline.
Implement rate limiting in hooks or middleware, especially for form actions and API endpoints.
Use `+page.server.ts` load functions to keep data fetching on the server. Avoid exposing internal API URLs in client-side code.
Scan Your SvelteKit App with SafeVibe
Stop guessing if your SvelteKit app is vulnerable to Server-Side Request Forgery (SSRF). Run an automated penetration test in minutes and get actionable results.
Start Free Scan