v5.3.0

Changed

• Add verification to allowedHostnames to ensure they don't contain any IP literals, and throw an exception if they do.
• Fix IPv6 proxy detection to check for IPv6 literals in the proxy address, not just hostnames that resolve to IPv6 addresses.
• Add documentation warnings to configuration for allowedHostnames.
• Add a TOCTOU warning to Ssrf.IsUnsafe documentation.

v5.2.0

Added

• Add Azure WireServer IP range.
• Add AMT/Global-Unicast range.
• Add AS112 ranges.
• Add Deprecated Anycast Prefix for 6to4 Relay Routers.
• Add IPv6 discard/dummy range.
• Add Segment Routing (SRv6) SIDs range.
• Add tests for the specific ranges AntiSSRF uses.

Changed

• Stubbed the DNS resolver for mixed.ipv6.ssrf.fail tests because some corporate DNS servers can be flakey with that host, so the tests are now deterministic.

v5.1.0

Changed

• URIs containing user information, e.g. https://user:pass@example.com, are now considered unsafe by IsUnsafeUri, IsUnsafe and
  the handlers.

v5.0.0

Added

• Add property and method extensions to IPAddress to check for various special types of IPv6 addresses that may be relevant for SSRF protection, including:
  • Add check and normalization for IPv4-compatible IPv6 addresses, IsIPv4CompatibleIPv6 and MapIPv6CompatibleToIPv4().
  • Add check and normalization for 6:4 IPv6 addresses, Is6to4 and Map6to4ToIPv4().
  • Add check and normalization for ISATAP IPv6 addresses, IsISATAP and MapISATAPToIPv4().
  • Add check and normalization for NAT64 IPv6 addresses, IsNAT64 and map MapNAT64ToIPv4().
  • Add normalization for Teredo IPv6 addresses, MapTeredoToIPv4().

Changed

• Breaking Replace allowInsecureProtocols parameter with allowedSchemes in SsrfSocketsHttpHandlerFactory.Create(), ProxiedSsrfDelegatingHandler constructor and as a property in SsrfOptions to allow for more flexible protocol allow listing.

  To use the new collection replace allowInsecureProtocols : true with allowedSchemes : ["https", "http", "wss", "ws"].
  You can remove wss and ws if you have no WebSocket use.

• Breaking ProxiedSsrfDelegatingHandler now takes a new options class, ProxiedSsrfOptions, instead of SsrfOptions to allow for proxy specific configuration. The new options class inherits from SsrfOptions
  so all existing configuration options are still available, and the Proxy property has been added

  • Proxy - an instance of WebProxy that will be used for the handler.

• Breaking ProxiedSsrfDelegatingHandler constructor now takes a WebProxy instance rather than an IWebProxy
  instance to allow the automatic safe listing of the proxy address.

• Update OTEL dependencies to address CVE-2026-40894 - OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers

v4.0.0

Added

• Add allowedHostnames parameter to SsrfSocketsHttpHandlerFactory.Create(), ProxiedSsrfDelegatingHandler
  constructor and as a property in SsrfOptions to enable safe listing of host names,
  including support for wildcard patterns. (#6) (blowdart) (#7) (blowdart) (#9) (blowdart) (#10) (blowdart)
• Add safeIPNetworks and safeIPAddresses parameters to SsrfSocketsHttpHandlerFactory.Create(),
  ProxiedSsrfDelegatingHandler constructor and as properties in SsrfOptions to enable safe listing of IP addresses and networks. (#6) (blowdart) (#8) (blowdart) (#9) (blowdart) (#10) (blowdart)
• Add metrics for tracking SSRF attempts, including counts of blocked requests and counts for blocked hosts and IP addresses.

Changed

• Disable Nagle on new Sockets to match SocketsHttpHandler (#11) (MihaZupan)
• Breaking Remove multiple overloads in favor of two Create methods, with defaults, on SsrfSocketsHttpHandlerFactory.
• Breaking Remove multiple constructors in favor of two constructors, with defaults, on ProxiedSsrfDelegatingHandler.
• Breaking Change casing of additionalUnsafeIpAddresses parameter to additionalUnsafeIPAddresses in constructors to match .NET's casing.
• Breaking Change casing of AdditionalUnsafeIpAddresses property to AdditionalUnsafeIPAddresses in SsrfOptions to match .NET's casing.
• Breaking Change additionalUnsafeNetworks parameter to additionalUnsafeIPNetworks to match .NET's naming.

v3.0.0

Added

• Add allowLoopback parameter to Ssrf.IsUnsafe, Ssrf.IsUnsafeHost, Ssrf.IsUnsafeIPAddress and
  SsrfSocketsHttpHandlerFactory.Create methods to allow localhost addresses to be considered valid
  if explicitly specified. Fixes #4
• Add ProxiedSsrfDelegatingHandler to support the use of proxies.

Changed

• Breaking Remove Proxy parameter from SsrfSocketsHttpHandlerFactory.Create method.
  To create a handler with a proxy use ProxiedSsrfDelegatingHandler.

v2.0.0

Changed

• Breaking: Correct spelling of SsrfSocketsHttpHandlerFactory (#3) (josephdecock)

v1.1.0

• Expand IPV6 range per RFC 9637 "Expanding the IPv6 Documentation Space" - Thanks vcsjones

v1.0.0

Initial Release