This guide will help you get started with URL Sheriff for SSRF prevention.
npm install url-sheriffRequirements: Node.js 22.0.0 or higher
import URLSheriff from 'url-sheriff';For CommonJS:
const URLSheriff = require('url-sheriff');import URLSheriff from 'url-sheriff';
// Default configuration (blocks all private IPs)
const sheriff = new URLSheriff();import URLSheriff from 'url-sheriff';
const sheriff = new URLSheriff();
try {
await sheriff.isSafeURL('https://example.com'); // Returns true
// URL is safe, proceed with request
} catch (error) {
console.error('URL is unsafe:', error.message);
// Handle unsafe URL
}import URLSheriff from 'url-sheriff';
const sheriff = new URLSheriff();
try {
await sheriff.isSafeURL('http://127.0.0.1:3000'); // Throws Error
} catch (error) {
console.error(error.message); // "URL uses a private hostname"
}import URLSheriff from 'url-sheriff';
const sheriff = new URLSheriff({
allowList: [
'localhost',
'127.0.0.1',
/^.*\.internal\.company\.com$/
]
});
await sheriff.isSafeURL('http://localhost:3000'); // Returns true
await sheriff.isSafeURL('https://app.internal.company.com'); // Returns trueimport URLSheriff from 'url-sheriff';
const sheriff = new URLSheriff({
allowedSchemes: ['https']
});
await sheriff.isSafeURL('https://example.com'); // Returns true
try {
await sheriff.isSafeURL('http://example.com'); // Throws Error
} catch (error) {
console.error(error.message); // "URL scheme 'http' is not allowed"
}import URLSheriff from 'url-sheriff';
const sheriff = new URLSheriff({
dnsResolvers: ['1.1.1.1', '8.8.8.8'] // Cloudflare and Google DNS
});
await sheriff.isSafeURL('https://example.com');