IABTechLab · prk-Jr · Mar 30, 2026 · Mar 16, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/.env.dev b/.env.dev
@@ -8,3 +8,11 @@ TRUSTED_SERVER__SYNTHETIC__OPID_STORE=opid_store
 # [proxy]
 # Disable TLS certificate verification for local dev with self-signed certs
 # TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK=false
+#
+# Restrict first-party proxy redirect targets to an allowlist (JSON array or indexed form).
+# Leave unset in local dev; configure in production to prevent SSRF via redirect chains
+# initiated by signed first-party proxy URLs.
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS='["*.doubleclick.net","*.googlesyndication.com"]'
+# Or using indexed form:
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS__0='*.doubleclick.net'
+# TRUSTED_SERVER__PROXY__ALLOWED_DOMAINS__1='*.googlesyndication.com'
diff --git a/crates/trusted-server-core/src/error.rs b/crates/trusted-server-core/src/error.rs
@@ -60,6 +60,10 @@ pub enum TrustedServerError {
     #[display("Proxy error: {message}")]
     Proxy { message: String },
 
+    /// A redirect destination was blocked by the proxy allowlist.
+    #[display("Redirect to `{host}` blocked: host not in proxy allowed_domains")]
+    AllowlistViolation { host: String },
+
     /// Settings parsing or validation failed.
     #[display("Settings error: {message}")]
     Settings { message: String },
@@ -99,6 +103,7 @@ impl IntoHttpResponse for TrustedServerError {
             Self::Prebid { .. } => StatusCode::BAD_GATEWAY,
             Self::Integration { .. } => StatusCode::BAD_GATEWAY,
             Self::Proxy { .. } => StatusCode::BAD_GATEWAY,
+            Self::AllowlistViolation { .. } => StatusCode::FORBIDDEN,
             Self::SyntheticId { .. } => StatusCode::INTERNAL_SERVER_ERROR,
             Self::Template { .. } => StatusCode::INTERNAL_SERVER_ERROR,
         }