There’s a class of attacks that don’t get a lot of attention called Server-Side Request Forgeries. We recently started protecting against this universally at FastMail (rather than the ad-hoc arrangement we had before). Here’s how we did it. First, lets talk about SSRF. Think of a webapp that lets you give it a URL that it will do something with. Examples are imgur’s “upload image from URL” function, or any feed aggregator (eg feedly) or podcast application (eg PlayerFM) that lets ...
