Understanding Scanner SSRF Protection and Private IPs
Learn why CertificateGuardian blocks private IP scans and how to configure public verification.
To maintain safety and security compliance, the CertificateGuardian scanner is equipped with robust SSRF (Server-Side Request Forgery) safeguards.
Why Private IPs are Blocked
Our scanning system resolves all domain DNS queries before initiating connections. If a domain resolves to a private, loopback, or local IP address range (e.g.,127.0.0.1, 10.0.0.0/8, 192.168.0.0/16), the connection is automatically aborted.
This prevents the scanner from being used to scan internal network infrastructure or private endpoints.
Resolving Scan Failures
If you receive a scan failure stating "SSRF Blocked: Private Destination IP": 1. Verify that your DNS records are pointed to a public-facing IP address. 2. If you are testing CertificateGuardian on local or development servers, you must use a tunneling solution (like ngrok, Cloudflare Tunnels, or Localtunnel) to expose your server over a public domain URL.Was this article helpful?
Let us know if we can improve our support content.