SecureHttpFetchOptions Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.SecureHttpFetch
SecureHttpFetchOptions Class
Configuration options for secure HTTP fetching with SSRF protection.
public class SecureHttpFetchOptions
Inheritance System.Object → SecureHttpFetchOptions
Properties
SecureHttpFetchOptions.AllowedSchemes Property
List of allowed URI schemes. Default: null (all schemes allowed).
public string[]? AllowedSchemes { get; set; }
Property Value
Remarks
When set, only URIs with schemes in this list will be allowed. Common secure configuration: new[] { "https" } to enforce HTTPS-only fetching. Setting this to null or empty array allows all schemes.
SecureHttpFetchOptions.BlockPrivateNetworks Property
Whether to block requests to private networks. Default: true.
public bool BlockPrivateNetworks { get; set; }
Property Value
Remarks
When true, blocks requests to: - Private IP ranges (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) - Link-local addresses (169.254.0.0/16 for IPv4, fe80::/10 for IPv6) - Loopback addresses (127.0.0.0/8 for IPv4, ::1 for IPv6) - Common internal hostnames (localhost, internal, etc.) Set to false only in development environments where fetching from internal networks is required.
SecureHttpFetchOptions.MaxResponseSizeBytes Property
Maximum allowed response size in bytes. Default: 5 MB (5242880 bytes).
public long MaxResponseSizeBytes { get; set; }
Property Value
Remarks
This limit prevents denial-of-service attacks via extremely large responses. Increase this value if you need to fetch larger documents (e.g., large JSON Web Key Sets).
SecureHttpFetchOptions.RequestTimeout Property
Maximum time to wait for the complete HTTP request (including DNS resolution and data transfer). Default: 30 seconds.
public System.TimeSpan RequestTimeout { get; set; }
Property Value
Remarks
This timeout applies to the entire request lifecycle. Lower values provide better protection against slowloris attacks but may cause failures for legitimate slow responses.