zshot/cli
⌘K
Download

--block-private-ips

Blocks the browser from connecting to private, loopback, and link-local IP ranges — a defense against SSRF, where a captured page redirects or fetches an internal address. On by default in server mode; off otherwise, so enable it explicitly when capturing untrusted URLs from the CLI.

Blocked ranges: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, ::1/128, fc00::/7, fe80::/10. 169.254.0.0/16 covers the cloud metadata endpoint at 169.254.169.254.

Adjust the set with --block-ip-range and --allow-ip-range; an allow range wins over a block.