How long does a security audit take?

Most audits are completed within 1-2 weeks, depending on the size and complexity of your codebase.

What tech stacks do you support?

We audit applications built with JavaScript/TypeScript, Python, Go, Ruby, PHP, and more. Whether you're using React, Next.js, Django, Rails, or any other framework—we've got you covered.

Is my code kept confidential?

Absolutely. We sign NDAs, use encrypted connections, and delete all access after the audit. Your code never leaves your repository—we only need read access.

How is this different from automated scanning?

Automated scanners catch common issues but miss business logic flaws, complex auth bypasses, and context-specific vulnerabilities. Our manual audits think like attackers and understand your unique application.

How do you prevent SSRF?

Validate and sanitize all user-supplied URLs Use allowlists for permitted domains Block requests to private IP ranges Disable unnecessary URL schemes (file://, gopher://) Use AWS IMDSv2 which requires a token

What are examples of SSRF?

Accessing AWS metadata at http://169.254.169.254. Scanning internal network ports. Accessing internal admin panels. Reading local files via file:// protocol

What is an SSRF vulnerability?

1 min read Updated 2026-02-05

Server-Side Request Forgery. A vulnerability where an attacker can make the server perform requests to unintended locations, potentially accessing internal resources.

Related: Injection Input Validation

Understanding SSRF

SSRF exploits server functionality that fetches external resources. Attackers can use it to scan internal networks, access cloud metadata services (like AWS IMDSv1), or interact with internal services. It's particularly dangerous in cloud environments.

Examples

Accessing AWS metadata at http://169.254.169.254
Scanning internal network ports
Accessing internal admin panels
Reading local files via file:// protocol

How to Prevent

Validate and sanitize all user-supplied URLs
Use allowlists for permitted domains
Block requests to private IP ranges
Disable unnecessary URL schemes (file://, gopher://)
Use AWS IMDSv2 which requires a token

Related Terms

Injection

A class of vulnerabilities where untrusted data is sent to an interpreter as part of a command or query. Includes SQL injection, NoSQL injection, and command injection.

Input Validation

The process of ensuring that user-supplied data meets expected formats and constraints before processing. A critical defense against injection attacks.

Worried about SSRF in your app?

Our security audits identify vulnerabilities like this before attackers do. Get expert manual review of your codebase.

Get a Security Audit Back to Glossary