Dynamics 365 Business Central: new strict URI validation in AL Http Client
Microsoft's Dynamics 365 Business Central 2026 Wave 1 release, version 28, introduces significant security enhancements, particularly in URI validation for the AL HttpClient. These changes aim to prevent Server-Side Request Forgery (SSRF) attacks by blocking HTTP requests to internal networks by default. For cloud-hosted environments, there is no workaround to this security measure, requiring extensions to use public internet-accessible endpoints. On-premises installations have the flexibility to whitelist specific internal addresses, although Microsoft advises caution in doing so. Backward compatibility ensures these security measures are consistent across prior versions 26.x and 27.x. Organizations should audit their extensions to understand their HTTP dependencies, refactor where necessary, and embrace best practices like using public APIs and conducting regular security audits to safeguard their systems effectively.
Article 2w
Login now to access my digest by 365.Training
Learn how my digest works
Features
- Articles, blogs, podcasts, training, and videos
- Quick read TL;DRs for each item
- Advanced filtering to prioritize what you care about
- Quick views to isolate what you are looking for right now
- Save your favorite items
- Share your favorites
- Snooze items you want to revisit when you have more time