Drawbridge is a drop-in replacement for `requests` or `httpx` that provides comprehensive SSRF protection.
For every request, it will: 1. Resolve DNS first with single getaddrinfo() call 2. Validate all IPs, and reject if any resolved address is private/reserved 3. Pin the connection by rewriting the URL to validated IP, and sets the Host header and TLS SNI to original hostname 4. Re-validates on each redirect hop.
This blocks most SSRF attack methods: DNS rebinding, address obfuscation, and redirects.
Also see our launch post here: https://tachyon.so/blog/ssrfs-trickiest-issue
0 comments