Test a URL for SSRF Attacks in PHP

1 min readMar 2, 2021


Do you perform regular validation tests on URLs? If not, you may be putting your web applications and other internal resources at risk. SSRF attacks can threaten not only servers, but other connected private information such as cloud services in AWS and OpenStack. The following API can assist in SSRF threat protection by checking if an input URL is at risk.

First, we will run this command to install the client:

composer require cloudmersive/cloudmersive_validate_api_client

Next, we are going to call the URL SSRF request function:

require_once(__DIR__ . '/vendor/autoload.php');
// Configure API key authorization: Apikey
$config = Swagger\Client\Configuration::getDefaultConfiguration()->setApiKey('Apikey', 'YOUR_API_KEY');
$apiInstance = new Swagger\Client\Api\DomainApi(

new GuzzleHttp\Client(),
$request = new \Swagger\Client\Model\UrlSsrfRequestFull(); // \Swagger\Client\Model\UrlSsrfRequestFull | Input URL request
try {
$result = $apiInstance->domainSsrfCheck($request);
} catch (Exception $e) {
echo 'Exception when calling DomainApi->domainSsrfCheck: ', $e->getMessage(), PHP_EOL;

Once the operation is completed, a result will be returned that will indicate if the URL is clean and the threat level. To retrieve your personal API key, head to the Cloudmersive website to register for a free account and receive 800 calls/month across our library of APIs.




There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.