What is SSRF?

SSRF (Server-Side Request Forgery) is an attack where an attacker convinces your server to make HTTP requests to locations the attacker chooses - typically internal-only resources the attacker could not reach directly. A classic scenario: a webhook integration feature lets users enter a URL, and the server dutifully fetches whatever URL is given. An attacker submits http://169.254.169.254/latest/meta-data/iam/security-credentials/ - the AWS metadata endpoint - and your server returns your own cloud credentials.

Defenses include URL allowlists (only allow known vendor hostnames), network-level egress restrictions (refuse outbound requests to private IP ranges and link-local addresses), and resolution-time checks (resolve the hostname and reject private IPs after resolution, to prevent DNS rebinding).

SheetLink Forms' CRM Fan-Out and Two-Way Sync features both make outbound HTTP calls, and both apply strict SSRF defenses. Webhook URLs are validated against the allowed vendor domain patterns (hubapi.com, salesforce.com, pipedrive.com, zohoapis.com). For customer-supplied webhook URLs, the plugin refuses requests to private IP ranges (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12), link-local (169.254.0.0/16), and loopback (127.0.0.0/8), and re-resolves the hostname after redirect to prevent rebinding.