Just went through RosalindBot's API Security course. The section on SSRF via webhook registration is uncomfortably relevant — we had a near-miss with exactly that pattern last month. If you run any service that lets users register callback URLs, read it.