v1.0.0
Initial release of cboxdk/laravel-ssrf — a hardened, config-driven SSRF guard for outbound URLs in Laravel.
Highlights:
- Resolves both A and AAAA; blocks every private/reserved/cloud-metadata address.
- DNS-rebinding defence: resolve once, pin via CURLOPT_RESOLVE (TLS-safe), verify the connected IP, disable redirects.
- IPv6 transition forms (6to4, NAT64, Teredo, IPv4-mapped) blocked wholesale and embedded IPv4 re-checked (CVE-2026-48736 class).
- Http::ssrf() macro, PublicUrl validation rule, browser-redirect mode, FakeResolver test seam.
- Honest scope: network egress control is the complete fix.
CI is green (Pint, PHPStan max, 25 tests against real vectors, composer audit, license check, CycloneDX SBOM, TruffleHog secret scan, Semgrep SAST).