Documentation Center

Configuring SSRF constraints for the Content Service

You can configure Server-Side Request Forgery (SSRF) constraints for the Content Service in the application.properties file.

Procedure

  1. To enable SSRF constraints, ensure that the ssrf.constraints.enabled property is set to true. By default, the value is false and all other SSRF properties are ignored.
  2. Configure what the service should do when accessing a URI that is neither allowed nor prohibited by setting the value of ssrf.process.unknown.uri. The default value, THROW_EXCEPTION, represents the default behavior of throwing an exception (the high-security option). To configure the low-security alternative, that is, processing such URIs, change the value to PROCESS.
  3. Configure one or more space-separated regular expressions that represent which URIs are allowed, as the value of ssrf.allowed.patterns. If not modified, this value defaults to the following: https?://((?>\\d+\\.){3}\\d+|[-.0-9a-zA-Z]+)(:\\d+)?/ https?://localhost:808\\d/ which represents any HTTP or HTTPS URI.
  4. Configure one or more space-separated regular expressions that represent which URIs are prohibited, as the value of ssrf.prohibited.patterns. By default, this property has an empty string as its value.