From a665d5d11127b94fd430e06a33e5f178cb3f5b53 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 19 Apr 2021 14:51:56 +0100
Subject: [PATCH] Improve RequestForgery.qhelp recommendation

---
 java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp b/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
index 1b63afde6fe..f89198ee378 100644
--- a/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
+++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
@@ -13,9 +13,11 @@ may be tricked into making a request and interacting with an attacker-controlled
 </overview>
 <recommendation>
 
-<p>To guard against SSRF attacks, it is advisable to avoid putting user input
+<p>To guard against SSRF attacks, you should avoid putting user-provided input
 directly into a request URL. Instead, maintain a list of authorized
-URLs on the server; then choose from that list based on the user input provided.</p>
+URLs on the server; then choose from that list based on the input provided.
+Alternatively, ensure requests constructed from user input are limited to
+a particular host or more restrictive URL prefix.</p>
 
 </recommendation>
 <example>