
Ruby gem to help prevent Server Side Request Forgery

MIT License



Checks if a URL or hostname would cause a request to a private network (RFC 1918). This is useful in preventing attacks like Server Side Request Forgery.


  • Ruby >= 2.4


require "private_address_check"

PrivateAddressCheck.private_address?("") # => false
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("fd00::2") # => true
PrivateAddressCheck.resolves_to_private_address?("") # => false
PrivateAddressCheck.resolves_to_private_address?("localhost") # => true

require "private_address_check/tcpsocket_ext"
require "net/http"
require "uri"

Net::HTTP.get_response(URI.parse("")) # => attempts connection like normal

PrivateAddressCheck.only_public_connections do
# => raises PrivateAddressCheck::PrivateConnectionAttemptedError


If you've found a security issue in private_address_check, please reach out to @jtdowney via email to report.

Time of check to time of use

A library like private_address_check is going to be easily susceptible to attacks like time of check to time of use. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address by the subsequent resolution is a private address. There are some possible defenses and workarounds:

  • Use the TCPSocket extension in this library which checks the address the socket uses. This is most useful if your system is built on native Ruby like Net::HTTP.
  • Use a feature like the resolve capability in curl and curb to force the resolution to a pre-checked IP address.
  • Implement your own caching DNS resolver with something like dnsmasq or unbound. These tools let you set a minimum cache time that can override the TTL of 0.


The gem is available as open source under the terms of the MIT License.