SSRF URL classifier

Paste a URL and see where it actually points: loopback, a private or link-local range, a cloud metadata endpoint, CGNAT, reserved space, or the public internet. Decimal, octal, and hex IP obfuscation is decoded, dangerous schemes and embedded credentials are flagged, and an SSRF risk level is shown. It never resolves DNS and never sends the request.

Security & WAF

Everything is computed in your browser. This tool never resolves DNS and never sends the request; it classifies the address purely from the text you paste.

Destination categories
LoopbackThe host itself (127.0.0.0/8 or ::1). A server fetching this reaches its own local services.
Cloud metadataA cloud instance metadata endpoint (IMDS). Reaching it can expose credentials and instance data.
Link-localA link-local address (169.254.0.0/16 or fe80::/10), reachable only on the local segment.
Private networkAn RFC 1918 private range (10/8, 172.16/12, 192.168/16) or IPv6 ULA. Typically internal infrastructure.
Internal nameA hostname with an internal suffix (.internal, .local, .corp). Not a public name.
ReservedA reserved or special-use range (documentation, benchmarking, multicast, broadcast, future use).
Carrier-grade NATCarrier-grade NAT shared address space (100.64.0.0/10). Not public, but not classic private either.
PublicA public, routable address on the internet.
Resolves at runtimeA hostname whose address is only known after a DNS lookup, which this tool does not perform.
API endpointGEThttps://ronutz.com/api/v1/ssrf-url-classifierDocumented, not served. Opens the specification.