HN Showcase
Back to browse
GitHub Repository
7 starsPython

Drawbridge – Drop-In SSRF Protection for Python

by logicx24·Mar 2, 2026·1 point·0 comments
Visit ProjectView on HN

AI Analysis

●●●BangerBig BrainSolve My ProblemWizardry

Blocks DNS rebinding and SSRF redirects where URL validation fails.

Strengths
  • Transport-level validation eliminates the check-then-fetch gap that defeats URL parsing
  • Handles all IP obfuscation methods (decimal, hex, octal, IPv6-mapped) automatically
  • Re-validates on each redirect hop, catching staged SSRF attacks
Weaknesses
  • Limited to Python; teams using other languages need separate solutions
  • No async context manager example in README, only basic usage
Category
Security
Target Audience

Backend developers, Python web framework maintainers, security teams

Similar To

WAF-level SSRF protection (Cloudflare, AWS WAF) · urllib3 security patches · Flask-Security extensions

Post Description

Drawbridge is a drop-in replacement for `requests` or `httpx` that provides comprehensive SSRF protection.

For every request, it will: 1. Resolve DNS first with single getaddrinfo() call 2. Validate all IPs, and reject if any resolved address is private/reserved 3. Pin the connection by rewriting the URL to validated IP, and sets the Host header and TLS SNI to original hostname 4. Re-validates on each redirect hop.

This blocks most SSRF attack methods: DNS rebinding, address obfuscation, and redirects.

Also see our launch post here: https://tachyon.so/blog/ssrfs-trickiest-issue

Similar Projects