Improve documentation of SSRF protection

3 files changed, 15 insertions, 3 deletions

diff --git a/changelogs/unreleased/fj-45057-improve-ssrf-documentation.yml b/changelogs/unreleased/fj-45057-improve-ssrf-documentation.yml
new file mode 100644
index 00000000000..b923f442b26
--- /dev/null
+++ b/changelogs/unreleased/fj-45057-improve-ssrf-documentation.yml
@@ -0,0 +1,5 @@
+---
+title: Added Webhook SSRF prevention to documentation
+merge_request: 18532
+author:
+type: other
diff --git a/doc/security/img/outbound_requests_section.png b/doc/security/img/outbound_requests_section.png
new file mode 100644
index 00000000000..95c9c6ee771
--- /dev/null
+++ b/doc/security/img/outbound_requests_section.png
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md
index faabc53ce72..a573445ab5b 100644
--- a/doc/security/webhooks.md
+++ b/doc/security/webhooks.md
@@ -2,12 +2,19 @@
 
 If you have non-GitLab web services running on your GitLab server or within its local network, these may be vulnerable to exploitation via Webhooks.
 
-With [Webhooks](../user/project/integrations/webhooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way. 
+With [Webhooks](../user/project/integrations/webhooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way.
 
 Things get hairy, however, when a Webhook is set up with a URL that doesn't point to an external, but to an internal service, that may do something completely unintended when the webhook is triggered and the POST request is sent.
 
 Because Webhook requests are made by the GitLab server itself, these have complete access to everything running on the server (http://localhost:123) or within the server's local network (http://192.168.1.12:345), even if these services are otherwise protected and inaccessible from the outside world.
 
-If a web service does not require authentication, Webhooks can be used to trigger destructive commands by getting the GitLab server to make POST requests to endpoints like "http://localhost:123/some-resource/delete". 
+If a web service does not require authentication, Webhooks can be used to trigger destructive commands by getting the GitLab server to make POST requests to endpoints like "http://localhost:123/some-resource/delete".
 
-To prevent this type of exploitation from happening, make sure that you are aware of every web service GitLab could potentially have access to, and that all of these are set up to require authentication for every potentially destructive command. Enabling authentication but leaving a default password is not enough.
+To prevent this type of exploitation from happening, starting with GitLab 10.6, all Webhook requests to the current GitLab instance server address and/or in a private network will be forbidden by default. That means that all requests made to 127.0.0.1, ::1 and 0.0.0.0, as well as IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 site-local (ffc0::/10) addresses won't be allowed.
+
+This behavior can be overridden by enabling the option *"Allow requests to the local network from hooks and services"* in the *"Outbound requests"* section inside the Admin area under **Settings** (`/admin/application_settings`):
+
+![Outbound requests admin settings](img/outbound_requests_section.png)
+
+>**Note:**
+*System hooks* are exempt from this protection because they are set up by admins.