External HTTP requests must restrict target hosts and validate URLs. Without safeguards, attackers can abuse Server-Side Request Forgery (SSRF) to reach internal services or metadata endpoints. Implement allow-lists, strict protocols, and timeouts to reduce this risk.
Server-Side Request Forgery (SSRF) happens when attackers trick your Magento server into making HTTP requests to locations they choose. This could allow them to reach internal services, metadata endpoints on cloud providers, or even other systems inside your network that are not supposed to be exposed.
If external requests are not validated, attackers may bypass firewalls or steal sensitive data. Restricting which hosts can be contacted and validating all URLs helps close this attack vector. Proper SSRF protections reduce the risk of data leaks and lateral movement inside your infrastructure.
# Review custom modules for outbound HTTP requests
grep -R "curl_init" app/code
grep -R "file_get_contents(" app/code
grep -R "->request(" app/code
# Check if requests validate allowed hosts or use a whitelist127.0.0.1 or 169.254.169.254 (cloud metadata).// Unsafe, accepts any URL input
$url = $_GET['url'];
$response = file_get_contents($url);// Safe, only allows requests to trusted hosts
$allowed = ['https://api.payment.com', 'https://api.shipping.com'];
if (in_array($url, $allowed, true)) {
$response = $httpClient->get($url);
}