Skip to content

feat(webhooks): ALLOW_PRIVATE_NETWORK_TARGETS env to allow internal targets#1579

Merged
mattwoberts merged 3 commits into
getfider:mainfrom
hodyhq:feat/allow-private-webhook-targets
Jun 24, 2026
Merged

feat(webhooks): ALLOW_PRIVATE_NETWORK_TARGETS env to allow internal targets#1579
mattwoberts merged 3 commits into
getfider:mainfrom
hodyhq:feat/allow-private-webhook-targets

Conversation

@hodyhq

@hodyhq hodyhq commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Self-hosted Fider instances frequently need webhook targets on the same LAN (Plane, n8n, internal Slack bridges, etc.). Upstream's SSRF guard in WebhookURL() rejects every RFC1918 / loopback / link-local target with no override, which makes Fider unusable for internal-only deployments that depend on webhook integrations.

This commit adds an opt-in env var WEBHOOK_ALLOW_PRIVATE_IPS (default false) that, when set, skips the private-network check. Format validation (well-formed URL, http/https scheme) still runs.

Tests cover: the new env keeps existing blocked addresses blocked when unset (no behavior change for hosted Fider); when enabled, RFC1918, loopback, link-local, and "localhost" all pass validation; opting in still rejects non-http schemes and malformed URLs.

Issue:

Self-hosted Fider instances frequently need webhook targets on the same
LAN (Plane, n8n, internal Slack bridges, etc.). Upstream's SSRF guard
in WebhookURL() rejects every RFC1918 / loopback / link-local target
with no override, which makes Fider unusable for internal-only
deployments that depend on webhook integrations.

This commit adds an opt-in env var WEBHOOK_ALLOW_PRIVATE_IPS (default
false) that, when set, skips the private-network check. Format
validation (well-formed URL, http/https scheme) still runs.

Tests cover: the new env keeps existing blocked addresses blocked when
unset (no behavior change for hosted Fider); when enabled, RFC1918,
loopback, link-local, and "localhost" all pass validation; opting in
still rejects non-http schemes and malformed URLs.
@mattwoberts mattwoberts added the config Flagged when a change adds additional config that will need documenting somewhere. label Jun 23, 2026
@mattwoberts

Copy link
Copy Markdown
Contributor

Should be an issue really, but I'll let you off

mattwoberts and others added 2 commits June 24, 2026 13:18
The validate.WebhookURL SSRF guard is shared: besides webhooks it also
validates OAuth token/profile URLs. The previous WEBHOOK_ALLOW_PRIVATE_IPS
name implied a webhook-only scope and understated that enabling it also
relaxes SSRF protection for OAuth provider config.

Rename the env var (and Go field) to ALLOW_PRIVATE_NETWORK_TARGETS, document
it in .example.env with an SSRF note, and clarify the WebhookURL doc comment.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@mattwoberts mattwoberts changed the title feat(webhooks): WEBHOOK_ALLOW_PRIVATE_IPS env to allow internal targets feat(webhooks): ALLOW_PRIVATE_NETWORK_TARGETS env to allow internal targets Jun 24, 2026
@mattwoberts

Copy link
Copy Markdown
Contributor

Thanks @hodyhq , I'll bring this in now 👍

@mattwoberts mattwoberts merged commit 0914541 into getfider:main Jun 24, 2026
5 checks passed
@hodyhq hodyhq deleted the feat/allow-private-webhook-targets branch July 7, 2026 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

config Flagged when a change adds additional config that will need documenting somewhere.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants