Note that this method is equivalent to {@link #hasRegistrySuffix()} because all registry * suffixes are public suffixes and all public suffixes have registry suffixes. * + *
Security note: This method performs syntactic validation only and does not perform + * DNS resolution. A syntactically valid domain (e.g., {@code 169.254.169.254.nip.io}) may resolve + * to a private or link-local IP address via wildcard DNS services. Do not use this method as an + * SSRF prevention control. To block SSRF, combine domain validation with IP resolution checks + * against RFC-1918, RFC-5737, and RFC-3927 ranges after DNS resolution. + * * @since 6.0 */ public boolean hasPublicSuffix() { @@ -380,6 +386,12 @@ public boolean hasPublicSuffix() { * the domain, though even that depends on individual browsers' implementations of cookie * controls. See RFC 2109 for details. * + *
Security note: This method performs syntactic validation only and does not perform + * DNS resolution. A syntactically valid domain (e.g., {@code 169.254.169.254.nip.io}) may resolve + * to a private or link-local IP address via wildcard DNS services. Do not use this method as an + * SSRF prevention control. To block SSRF, combine domain validation with IP resolution checks + * against RFC-1918, RFC-5737, and RFC-3927 ranges after DNS resolution. + * * @since 6.0 */ public boolean isUnderPublicSuffix() { @@ -600,6 +612,12 @@ public InternetDomainName child(String leftParts) { * } * } * + *
Security note: This method performs syntactic validation only and does not perform + * DNS resolution. A syntactically valid domain (e.g., {@code 169.254.169.254.nip.io}) may resolve + * to a private or link-local IP address via wildcard DNS services. Do not use this method as an + * SSRF prevention control. To block SSRF, combine domain validation with IP resolution checks + * against RFC-1918, RFC-5737, and RFC-3927 ranges after DNS resolution. + * * @since 8.0 (previously named {@code isValidLenient}) */ public static boolean isValid(String name) {