Add SSRF protection documentation for outbound request security

[JanithaSampathBandara]

Purpose

This PR adds documentation for the outbound request security feature introduced to mitigate Server-Side Request Forgery (SSRF) attacks in WSO2 API Manager.

The documentation covers how administrators can configure platform-level and tenant-level outbound request security policies for user-provided remote URLs.

---

Goals

• Document the outbound request security feature
• Document platform-level configuration
• Document tenant-level configuration
• Explain configuration precedence
• Document host pattern matching behavior
• Document private network access blocking
• Provide security best practices

---

Approach

Added a new administration guide for:

• Outbound Request Security

Added documentation for platform-level configuration:

[apim.outbound_request_security]
enabled = false
mode = "allow_all"
exceptions = []
block_private_network_access = false

Added APIM Config Catalog documentation for:

• enabled
• mode
• exceptions
• block_private_network_access

Added Advanced Configuration documentation for tenant-level configuration:

"OutboundRequestSecurity": {
    "EnableHostAllowlist": false,
    "HostAllowlistPatterns": ["*"]
}

Added documentation for:

• Configuration precedence
• Wildcard host matching
• Private network blocking
• Error handling
• Example usage scenarios

---

Release Note

Added documentation for outbound request security and SSRF protection.

---

Testing

Verified locally using MkDocs:

• New administration page renders correctly
• Config catalog entry renders correctly
• Advanced configuration entry renders correctly
• Navigation entry is available
• Markdown rendering is valid

[coderabbitai]

Warning

Rate limit exceeded

@JanithaSampathBandara has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 42 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 547e0384-d5d0-4c1b-bfe1-c103a5cd9915

📥 Commits

Reviewing files that changed from the base of the PR and between 031293c and 797a4a4.

📒 Files selected for processing (4)

• en/docs/administer/admin-overview.md
• en/docs/administer/outbound-request-security.md
• en/docs/reference/config-catalog.md
• en/mkdocs.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

JanithaSampathBandara seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}