block local addresses to prevent SSRF attacks

commafeed-server/doc/commafeed.md

@@ -287,6 +287,29 @@ MemorySize [🛈](#memory-size-note-anchor)
 `5M`
 </td>
 </tr>
+<tr>
+<td>
+
+`commafeed.http-client.block-local-addresses`
+
+Prevent access to local addresses to mitigate server-side request forgery (SSRF) attacks, which could potentially expose internal
+resources.
+
+You may want to disable this if you subscribe to feeds that are only available on your local network and you trust all users of
+your CommaFeed instance.
+
+
+
+Environment variable: `COMMAFEED_HTTP_CLIENT_BLOCK_LOCAL_ADDRESSES`</td>
+<td>
+
+boolean
+</td>
+<td>
+
+`true`
+</td>
+</tr>
 <thead>
 <tr>
 <th align="left" colspan="3">