allowPrivateNetwork property

bool allowPrivateNetwork
final

Whether did:web resolution may target private-network hosts.

Defaults to false: localhost and IP literals in loopback, private, link-local, carrier-grade NAT, unique-local, multicast, unspecified, or otherwise reserved ranges are rejected before any request is issued, because a did:web issuer is attacker-controlled input (blind SSRF).

Limitation: only IP literals are checked. This package targets web/WASM as well as native platforms, so no DNS resolution is performed; a public hostname whose DNS record points at a private address is not detected here. Pair this check with operator-level egress controls (or allowedHosts) for defense in depth.

Implementation

final bool allowPrivateNetwork;