{"library":"request-filtering-agent","title":"Request Filtering Agent","description":"request-filtering-agent is an http(s).Agent implementation for Node.js designed to mitigate Server-Side Request Forgery (SSRF) attacks by blocking requests to private and reserved IP addresses by default. Currently stable at v3.2.0, the library has an active release cadence, introducing features like CIDR notation support for allow/deny lists in recent minor versions. Its key differentiator lies in providing a security-focused http.Agent that integrates seamlessly with popular HTTP clients such as node-fetch, axios, and got, while explicitly not supporting Node.js's built-in fetch due to its lack of http.Agent compatibility. The agent dynamically detects DNS-resolved IP addresses, including those from loopback domains like nip.io, ensuring comprehensive protection against internal network access.","language":"javascript","status":"active","last_verified":"Wed Apr 22","install":{"commands":["npm install request-filtering-agent"],"cli":null},"imports":["import { useAgent } from 'request-filtering-agent';","import { HttpFilteringAgent } from 'request-filtering-agent';","import { HttpsFilteringAgent } from 'request-filtering-agent';","import type { FilteringAgentOptions } from 'request-filtering-agent';"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import { request } from 'node:http';\nimport { useAgent, FilteringAgentOptions } from 'request-filtering-agent';\n\n// This URL resolves to a private loopback IP (127.0.0.1) and will be blocked by default.\nconst url = new URL('http://127.0.0.1:8080/');\n\nconst agentOptions: FilteringAgentOptions = {\n    // Optionally, specify allowed or denied IP lists using CIDR notation.\n    // allowIPAddressList: ['192.168.1.0/24'],\n    // denyIPAddressList: ['10.0.0.0/8']\n};\n\n// Create a filtering agent instance for the target URL\nconst agent = useAgent(url, agentOptions);\n\n// Use the agent with Node.js's built-in http.request\nconst req = request(url, { agent }, (res) => {\n    console.log(`STATUS: ${res.statusCode}`);\n    res.setEncoding('utf8');\n    res.on('data', (chunk) => {\n        console.log(`BODY: ${chunk}`);\n    });\n    res.on('end', () => {\n        console.log('No more data in response.');\n    });\n});\n\nreq.on('error', (e) => {\n    // Expected error for 127.0.0.1: \"DNS lookup 127.0.0.1(...) is not allowed. Because, It is private IP address.\"\n    console.error(`Problem with request: ${e.message}`);\n});\n\nreq.end();","lang":"typescript","description":"Demonstrates how to initialize and use `request-filtering-agent` with Node.js's built-in `http.request` to prevent requests to private IP addresses, showing expected error handling.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}