Curious what the higher-level solution to CSRF/SSRF is? I’m struggling to think how it could be prevented except at the browser level (for CSRF). And for SSRF if there’s a legitimate need for a network path between two services but one has an SSRF issue, how can you stop that?