Cyber Doc logo Cyber Doc
Cybersecurity Term

What is server-side request forgery?

A web weakness where a server can be tricked into making requests it should not make.

Web & Application Security Last reviewed: 2026-05-20

← Back to Learn Centre

What is server-side request forgery?

Server-side request forgery, or SSRF, happens when an attacker abuses a server into making requests to places it should not access.

Simple example

A website feature that fetches a user-provided URL is tricked into requesting an internal admin service.

Why it matters

SSRF can expose internal systems, metadata services, or sensitive resources that are not directly visible to the internet.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Restrict where server-side URL fetch features can connect.
  • Block access to internal addresses where not needed.
  • Validate and allowlist destinations.
  • Use cloud metadata protections.
  • Test URL-fetching features carefully.

Reactive steps

  • Disable or restrict the affected feature if active abuse is suspected.
  • Review server logs for unusual outbound requests.
  • Check whether internal services or secrets were accessed.
  • Patch the vulnerable logic.
  • Rotate exposed credentials if necessary.

Related terms

  • API security
  • Security misconfiguration
  • Web application security