PlansBuildersFor ContractorsFor HomeownersFor BuildersPricingHelpStart Free Trial

SSRF Protection for User-Supplied URLs

How BlueClerk blocks server-side request forgery attacks when fetching user-provided URLs

On this page

OverviewWhat Gets BlockedWhere This Protection AppliesError MessagesTipsQuestions

Overview

When you provide URLs in AI chat (for image analysis) or takeoff revisions (for blueprint fetching), BlueClerk automatically validates them to prevent server-side request forgery (SSRF) attacks. This security layer ensures user-supplied URLs can't be used to access internal systems or private networks.

What Gets Blocked

Non-HTTPS URLs

Only HTTPS URLs are allowed - HTTP and other protocols are rejected to ensure encrypted connections.

Internal/Private Addresses

BlueClerk blocks requests to:

  • Localhost - 127.0.0.1, ::1, localhost
  • Private IP ranges - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Link-local addresses - 169.254.0.0/16 (AWS metadata endpoints)
  • IPv6 private ranges - fc00::/7, fe80::/10

Redirects

HTTP redirects are blocked entirely - an attacker could redirect from a public URL to an internal one, bypassing the initial validation.

Where This Protection Applies

SSRF protection is active when:

  • Uploading images via URL in AI chat
  • Fetching blueprints in takeoff revision detection
  • Any feature where you provide a URL that BlueClerk fetches on your behalf

Error Messages

If your URL is blocked, you'll see:

  • "Invalid URL" - The URL format is malformed
  • "Only HTTPS URLs are allowed" - You provided an HTTP or other non-HTTPS URL
  • "URL points to a blocked host" - The URL resolves to a private or internal address

Tips

  • Use publicly accessible URLs - Host images on S3, Cloudinary, or other public CDNs
  • Ensure HTTPS - Upload images to services that support HTTPS
  • Avoid internal hostnames - Don't use URLs like http://localhost:3000/image.jpg

Questions

Q: Why can't I use HTTP URLs? A: HTTP URLs are unencrypted and pose a security risk. BlueClerk requires HTTPS to ensure secure communication.

Q: I'm getting "blocked host" errors but my URL is public. Why? A: The URL might resolve to a private IP address or be hosted on a service that uses internal addressing. Try re-hosting the file on a public CDN like S3 or Cloudinary.

Q: Can I fetch images from my local development server? A: No - localhost and private IP addresses are blocked by design to prevent SSRF attacks. Upload images to a public hosting service instead.

Was this helpful?
Contact Support →