allowPrivateNetwork property
Whether did:web resolution may target private-network hosts.
Defaults to false: localhost and IP literals in loopback, private,
link-local, carrier-grade NAT, unique-local, multicast, unspecified,
or otherwise reserved ranges are rejected before any request is issued,
because a did:web issuer is attacker-controlled input (blind SSRF).
Limitation: only IP literals are checked. This package targets web/WASM as well as native platforms, so no DNS resolution is performed; a public hostname whose DNS record points at a private address is not detected here. Pair this check with operator-level egress controls (or allowedHosts) for defense in depth.
Implementation
final bool allowPrivateNetwork;