Add a mention of NoPrivateNetworkHttpClient and SSRF to the docs

Author: Seldaek

http_client.rst

@@ -694,6 +694,28 @@ called when new data is uploaded or downloaded and at least once per second::
 Any exceptions thrown from the callback will be wrapped in an instance of
 ``TransportExceptionInterface`` and will abort the request.
 
+SSRF (Server-side request forgery) Handling
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+[SSRF](https://portswigger.net/web-security/ssrf) allows an attacker to induce the backend application to make HTTP requests to an arbitrary domain. These attacks can also target the internal hosts and IPs of the attacked server.
+
+If you use an ``HttpClient`` together with user-provided URIs, it is probably a good idea to decorate it with a ``NoPrivateNetworkHttpClient``. This will ensure local networks are made inaccessible to the HTTP client::
+
+    use Symfony\Component\HttpClient\HttpClient;
+    use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
+
+    $client = new NoPrivateNetworkHttpClient(HttpClient::create());
+    // nothing changes when requesting public networks
+    $client->request('GET', 'https://example.com/');
+
+    // however, all requests to private networks are now blocked by default
+    $client->request('GET', 'http://localhost/');
+
+    // the second optional argument defines the networks to block
+    // in this example, requests from 104.26.14.0 to 104.26.15.255 will result in an exception
+    // but all the other requests, including other internal networks, will be allowed
+    $client = new NoPrivateNetworkHttpClient(HttpClient::create(), ['104.26.14.0/23']);
+
 Performance
 -----------