{"id":30902089,"url":"https://github.com/zaczero/httpx-secure","last_synced_at":"2025-09-09T07:50:30.679Z","repository":{"id":310122548,"uuid":"1038659988","full_name":"Zaczero/httpx-secure","owner":"Zaczero","description":"Drop-in SSRF protection for httpx","archived":false,"fork":false,"pushed_at":"2025-08-16T11:09:16.000Z","size":29,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-05T14:00:08.442Z","etag":null,"topics":["dns-cache","httpx","security","server-side-request-forgery","ssrf","web-security"],"latest_commit_sha":null,"homepage":"https://pypi.org/p/httpx-secure","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"0bsd","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Zaczero.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-15T15:51:32.000Z","updated_at":"2025-08-16T11:09:04.000Z","dependencies_parsed_at":"2025-08-15T22:52:51.632Z","dependency_job_id":"d5eea8db-3292-444a-99a4-fb725e6c8264","html_url":"https://github.com/Zaczero/httpx-secure","commit_stats":null,"previous_names":["zaczero/httpx-secure"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Zaczero/httpx-secure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zaczero%2Fhttpx-secure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zaczero%2Fhttpx-secure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zaczero%2Fhttpx-secure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zaczero%2Fhttpx-secure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Zaczero","download_url":"https://codeload.github.com/Zaczero/httpx-secure/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Zaczero%2Fhttpx-secure/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274262089,"owners_count":25251960,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-09T02:00:10.223Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns-cache","httpx","security","server-side-request-forgery","ssrf","web-security"],"created_at":"2025-09-09T07:50:26.533Z","updated_at":"2025-09-09T07:50:30.666Z","avatar_url":"https://github.com/Zaczero.png","language":"Python","funding_links":["https://liberapay.com/Zaczero/","https://github.com/sponsors/Zaczero"],"categories":[],"sub_categories":[],"readme":"# httpx-secure\n\n[![PyPI - Python Version](https://shields.monicz.dev/pypi/pyversions/httpx-secure)](https://pypi.org/p/httpx-secure)\n[![Liberapay Patrons](https://shields.monicz.dev/liberapay/patrons/Zaczero?logo=liberapay\u0026label=Patrons)](https://liberapay.com/Zaczero/)\n[![GitHub Sponsors](https://shields.monicz.dev/github/sponsors/Zaczero?logo=github\u0026label=Sponsors\u0026color=%23db61a2)](https://github.com/sponsors/Zaczero)\n\nDrop-in SSRF protection for httpx.\n\n## Why Use This?\n\n- **SSRF Protection**: Block requests to private/internal IP addresses\n- **Custom Validation**: Extend with your own validation logic\n- **Minimal Overhead**: Efficient implementation with built-in DNS caching\n- **Broad Python Support**: Compatible with Python 3.9+\n- [**Semantic Versioning**](https://semver.org): Predictable, reliable updates\n- [**Zero-Clause BSD**](https://choosealicense.com/licenses/0bsd/): Public domain, use freely anywhere\n\n## Installation\n\n```bash\npip install httpx-secure\n```\n\n## Quick Start\n\n```python\nimport httpx\nfrom httpx_secure import httpx_ssrf_protection\n\nclient = httpx_ssrf_protection(\n    httpx.AsyncClient(),\n    dns_cache_size=1000,  # Cache up to 1000 DNS resolutions\n    dns_cache_ttl=600,    # Cache for 10 minutes\n)\n\nawait client.get(\"https://public.domain\")   # Allowed\nawait client.get(\"https://private.domain\")  # Blocked\n```\n\n## Custom Validation\n\nFor example, implement a simple domain whitelist to restrict requests to specific hosts:\n\n```python\nimport httpx\nfrom httpx_secure import httpx_ssrf_protection\nfrom ipaddress import IPv4Address, IPv6Address\n\ndef custom_validator(\n    hostname: str,\n    ip: IPv4Address | IPv6Address,\n    port: int\n) -\u003e bool:\n    return hostname in {\n        \"whitelisted.domain\",\n        \"webhook.partner.com\",\n    }\n\nclient = httpx_ssrf_protection(\n    httpx.AsyncClient(),\n    custom_validator=custom_validator,\n)\n\nawait client.get(\"https://whitelisted.domain\")  # Allowed\nawait client.get(\"https://unknown.domain\")      # Blocked\n```\n\n## How It Works\n\n1. **Cache Lookup**: First checks if the host has been recently validated and cached\n2. **DNS Resolution**: If not cached, resolves the hostname to an IP address\n3. **Validation**: Verifies the IP is globally routable, blocking private/internal addresses\n4. **Custom Validation**: If provided, your custom validator is called for additional checks\n5. **Request Modification**: Rewrites the request to use the validated IP directly\n\nThe DNS cache significantly reduces latency for repeated requests, while per-host locking ensures efficient concurrent resolution of parallel requests.\n\n\u003e [!TIP]\n\u003e The SSRF protection applies to all HTTP methods (GET, POST, PUT, DELETE, etc.) and automatically validates redirects to prevent SSRF attacks through redirect chains.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzaczero%2Fhttpx-secure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzaczero%2Fhttpx-secure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzaczero%2Fhttpx-secure/lists"}