Finding in @fluxfingers’ https://t.co/3cox2GM3tz CTF: node.js’ http client translates hostname “localhost.xn--” (internationalized domain name / IDN) into “localhost.”. So the hostname may bypass some filter/WAF to get better SSRF.