Build Status Code Climate

Checks if a URL or hostname would cause a request to a private network (RFC 1918). This is useful in preventing attacks like Server Side Request Forgery.


  • Ruby >= 2.0


Add this line to your application's Gemfile:

gem 'private_address_check'

And then execute:

$ bundle

Or install it yourself as:

$ gem install private_address_check


require "private_address_check"

PrivateAddressCheck.private_address?("") # => false
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("") # => true
PrivateAddressCheck.private_address?("fd00::2") # => true
PrivateAddressCheck.resolves_to_private_address?("") # => false
PrivateAddressCheck.resolves_to_private_address?("localhost") # => true

require "private_address_check/tcpsocket_ext"
require "net/http"
require "uri"

Net::HTTP.get_response(URI.parse("")) # => attempts connection like normal

PrivateAddressCheck.only_public_connections do
# => raises PrivateAddressCheck::PrivateConnectionAttemptedError


After checking out the repo, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to


Bug reports and pull requests are welcome on GitHub at This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.


If you've found a security issue in private_address_check, please reach out to @jtdowney via email to report.

Time of check to time of use

A library like private_address_check is going to be easily susceptible to attacks like time of check to time of use. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address by the subsequent resolution is a private address. There are some possible defenses and workarounds:

  • Use the TCPSocket extension in this library which checks the address the socket uses. This is most useful if your system is built on native Ruby like Net::HTTP.
  • Use a feature like the resolve capability in curl and curb to force the resolution to a pre-checked IP address.
  • Implement your own caching DNS resolver with something like dnsmasq or unbound. These tools let you set a minimum cache time that can override the TTL of 0.


The gem is available as open source under the terms of the MIT License.