Configuring SSRF constraints for the Content Service
You can configure Server-Side Request Forgery (SSRF) constraints for the Content Service in the application.properties file.
Procedure
- To enable SSRF constraints, ensure that the ssrf.constraints.enabled property is set to
true. By default, the value isfalseand all other SSRF properties are ignored. - Configure what the service should do when accessing a URI that is neither allowed nor prohibited by setting the value of ssrf.process.unknown.uri. The default value,
THROW_EXCEPTION, represents the default behavior of throwing an exception (the high-security option). To configure the low-security alternative, that is, processing such URIs, change the value toPROCESS. - Configure one or more space-separated regular expressions that represent which URIs are allowed, as the value of
ssrf.allowed.patterns. If not modified, this value defaults to the following:https?://((?>\\d+\\.){3}\\d+|[-.0-9a-zA-Z]+)(:\\d+)?/ https?://localhost:808\\d/which represents any HTTP or HTTPS URI. - Configure one or more space-separated regular expressions that represent which URIs are prohibited, as the value of
ssrf.prohibited.patterns. By default, this property has an empty string as its value.