URL previews can expose internal parts of your network to outsiders with specially formatted requests. To avoid leaking data about your infrastructure, it is incredibly important to ensure the allowable networks are configured:
urlPreviews: previewUnsafeCertificates: false disallowedNetworks: - "127.0.0.1/8" - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - "100.64.0.0/10" - "169.254.0.0/16" - '::1/128' - 'fe80::/64' - 'fc00::/7' allowedNetworks: - "0.0.0.0/0"
One or both of
allowedNetworks must be supplied, otherwise the media
repo will refuse to generate previews. Both options are list of CIDR ranges.
The media repo will first check
allowedNetworks to see if the network is allowable. By default
this is as shown above (
0.0.0.0/0) to allow all networks to be previewed and limited by the
disallowed networks list.
If a network is allowed by the
allowedNetworks, the media repo will then check against the
disallowedNetworks list to ensure the request is still safe to go through to previewing. This
is usually where private networks are specified, like in the example.
In some rare circumstances, the certificates of the sites being previewed might not be traditionally
signed or secure. If this is the case for your environment, set
to disable certificate checks on previews.