diff --git a/server.js b/server.js
index 8dc73f18130077caa361219022688b47c55e8c21..436e21d3ebc3f45b6dd0bdb81ed6b6b67c68fdc5 100644
--- a/server.js
+++ b/server.js
@@ -2,6 +2,7 @@ const express = require('express');
 const path = require('path');
 const connectDB = require('./mongodb');
 const session = require('express-session');
+const url = require('url');
 
 const app = express();
 
@@ -9,6 +10,20 @@ const app = express();
 app.use(express.json());
 app.use(express.static(path.join(__dirname, 'public')));
 
+// Allow only localhost for SSRF protection
+function validateLocalhost(req, res, next) {
+  const remoteAddress = req.connection.remoteAddress;
+
+  // Allow requests only from localhost (IPv4 and IPv6)
+  if (remoteAddress !== '127.0.0.1' && remoteAddress !== '::1') {
+    return res.status(403).send('External requests are forbidden');
+  }
+
+  next();
+}
+
+app.use(validateLocalhost);  // Add the middleware
+
 // Session configuration
 app.use(
   session({