Summary: This guide explains how to allow Moodle’s cURL layer to reach localhost in a development environment without weakening production HTTP security.

This is a development-only workflow. Moodle blocks requests to reserved and internal addresses for good SSRF-related reasons, so the point is to make a narrow local exception for testing rather than to open up production blindly.

Preferred method: use the admin UI

For Moodle 4.x, go to:

Site administration > General > Security > HTTP security

Review two settings together:

  • cURL blocked hosts list
  • cURL allowed ports list

For local development, leave the blocked-host list empty only if you truly want localhost access for the test environment, and add the exact non-standard local port you need if it is not already allowed.

Fallback method: set it in config.php

If the UI is unavailable, add the equivalent configuration to config.php, then purge caches. Keep those changes clearly marked as development-only.

Do not carry this configuration into production

The SOP is explicit about this. Production should continue to block reserved and internal IP ranges unless you have a narrowly defined and justified reason not to.

Test the actual plugin path

After changing the settings, test the real plugin or integration call path rather than assuming a generic cURL request proves the application path will work.

Solin specializes in Moodle development, secure integrations, and environment-specific troubleshooting. Need help? Contact us.

Solin helps development teams make Moodle environments practical to work with while keeping production safeguards intact. Need help? Contact us.

Contact us