Complete API documentation for URL Sheriff.
Main class for URL validation and SSRF prevention.
/**
* URLSheriff class for validating URLs and preventing SSRF attacks
*/
class URLSheriff {
/**
* Creates a new URLSheriff instance
* @param config - Optional configuration object
*/
constructor(config?: URLSheriffConfig);
/**
* Validates if a URL is safe to use
* @param url - URL string or URL object to validate
* @returns Promise resolving to true if URL is safe
* @throws Error if URL is invalid, uses disallowed scheme, or resolves to private IP
*/
isSafeURL(url: string | URL): Promise<boolean>;
/**
* Checks if an IP address is private or internal
* @param ipAddress - IP address string (IPv4 or IPv6)
* @returns true if IP address is private, false if public
*/
isPrivateIPAddress(ipAddress: string): boolean;
/**
* Performs DNS lookup using system resolver
* @param hostname - Hostname to resolve
* @returns Promise resolving to array of IP addresses (both IPv4 and IPv6)
* @throws Error if DNS lookup fails
*/
hostnameLookup(hostname: string): Promise<string[]>;
/**
* Performs DNS lookup using custom resolvers configured in constructor
* @param hostname - Hostname to resolve
* @returns Promise resolving to array of IPv4 addresses only
* @throws Error if custom resolver not configured or DNS lookup fails
*/
resolveHostnameViaServers(hostname: string): Promise<string[]>;
/**
* Adds entries to the allow-list at runtime
* @param entries - Array of string literals or RegExp patterns to add
* @returns void
*/
addToAllowList(entries: Array<string | RegExp>): void;
/**
* Removes entries from the allow-list at runtime
* @param entries - Array of string literals or RegExp patterns to remove
* @returns void
* @note Removing non-existent entries is safe and silently ignored
*/
removeFromAllowList(entries: Array<string | RegExp>): void;
/**
* Gets the current allow-list entries
* @returns Copy of current allow-list array
*/
getAllowList(): Array<string | RegExp>;
/**
* Sets allowed URL schemes/protocols
* @param schemes - Array of allowed scheme strings (e.g., ['http', 'https'])
* @returns Normalized schemes array or null if empty array provided (which clears restrictions)
*/
setAllowedSchemes(schemes: string[]): string[] | null;
/**
* Gets current allowed URL schemes
* @returns Copy of allowed schemes array or null if no restrictions
*/
getAllowedSchemes(): string[] | null;
/**
* Removes all scheme restrictions, allowing any protocol
* @returns void
*/
clearSchemeRestrictions(): void;
}Creates a new URLSheriff instance with optional configuration.
Parameters:
config (optional): URLSheriffConfig objectReturns: URLSheriff instance
Example:
const sheriff = new URLSheriff();
const sheriffWithConfig = new URLSheriff({
allowedSchemes: ['https'],
allowList: ['localhost']
});Validates if a URL is safe to use. This is the primary method for SSRF prevention.
Parameters:
url: string | URL - URL string or URL object to validateReturns: Promise<boolean> - Resolves to true if URL is safe
Throws: Error if:
allowedSchemes is configured)Example:
try {
await sheriff.isSafeURL('https://example.com'); // Returns true
} catch (error) {
console.error('Unsafe URL:', error.message);
}Checks if an IP address is private or internal.
Parameters:
ipAddress: string - IP address string (IPv4 or IPv6)Returns: boolean - true if IP address is private, false if public
Example:
sheriff.isPrivateIPAddress('192.168.1.1'); // true
sheriff.isPrivateIPAddress('8.8.8.8'); // falsePerforms DNS lookup using the system DNS resolver.
Parameters:
hostname: string - Hostname to resolveReturns: Promise<string[]> - Array of IP addresses (both IPv4 and IPv6)
Throws: Error if DNS lookup fails
Example:
const ips = await sheriff.hostnameLookup('example.com');
// ['93.184.216.34', '2606:2800:220:1:248:1893:25c8:1946']Performs DNS lookup using custom resolvers configured in constructor.
Parameters:
hostname: string - Hostname to resolveReturns: Promise<string[]> - Array of IPv4 addresses only
Throws: Error if:
dnsResolvers not provided)Example:
const sheriff = new URLSheriff({
dnsResolvers: ['1.1.1.1']
});
const ips = await sheriff.resolveHostnameViaServers('example.com');
// ['93.184.216.34']Adds entries to the allow-list at runtime.
Parameters:
entries: Array<string | RegExp> - Array of string literals or RegExp patterns to addReturns: void
Example:
sheriff.addToAllowList(['localhost', /^.*\.internal\.com$/]);Removes entries from the allow-list at runtime.
Parameters:
entries: Array<string | RegExp> - Array of string literals or RegExp patterns to removeReturns: void
Note: Removing non-existent entries is safe and silently ignored.
Example:
sheriff.removeFromAllowList(['localhost']);Gets the current allow-list entries.
Returns: Array<string | RegExp> - Copy of current allow-list array
Example:
const allowList = sheriff.getAllowList();
console.log(allowList); // ['localhost', /^.*\.internal\.com$/]Sets allowed URL schemes/protocols.
Parameters:
schemes: string[] - Array of allowed scheme strings (e.g., ['http', 'https'])Returns: string[] | null - Normalized schemes array or null if empty array provided (which clears restrictions)
Note: Schemes are case-insensitive and automatically normalized to lowercase.
Example:
sheriff.setAllowedSchemes(['https', 'http']);
// Returns ['https', 'http']
sheriff.setAllowedSchemes([]);
// Returns null, clears restrictionsGets current allowed URL schemes.
Returns: string[] | null - Copy of allowed schemes array or null if no restrictions
Example:
const schemes = sheriff.getAllowedSchemes();
// ['https', 'http'] or nullRemoves all scheme restrictions, allowing any protocol.
Returns: void
Example:
sheriff.clearSchemeRestrictions();
// Now all schemes are allowedAll methods throw standard JavaScript Error objects with descriptive messages:
resolveHostnameViaServers without configuring dnsResolversSee Configuration Reference for detailed configuration options.