The practice of not allowing the redirection of HTTP is essential for eradicating server-side request forgery (SSRF) attacks. SSRF occurs when an attacker manipulates a server's requests to access internal resources or services that should not be directly exposed or accessible from the outside. By preventing HTTP redirection, you reduce the risk of attackers crafting requests that can leverage your server to access unintended destinations, such as internal APIs, databases, or other sensitive systems.
Without the ability for HTTP redirection, an application is less likely to expose its internal network to outside threats. This practice supports the principle of least privilege and enhances overall system security by ensuring that outgoing requests from your server cannot be manipulated to reach unintended or potentially harmful endpoints.
In contrast, encouraging unrestricted HTTP methods could allow attackers to use methods like PUT or DELETE to modify resources on the server. Allowing internal server redirection by default would create avenues for SSRF attacks, as attackers could control the server to make requests to internal services. Implementing weak authentication measures would only exacerbate the problem by allowing unauthorized users more access to exploit SSRF vulnerabilities. By focusing on restricting redirection, the overall attack surface for SSRF is significantly reduced.