Often, web-connected applications are made up of multiple cooperating servers. When a client makes a network request, the request is routed to the main server (which is connected to the internet). However, that server may be part of a local, private network of servers, and the client's request may require the main server to make requests to the other servers in order to satisfy it.
Only the main server can be accessed directly, however, a hacker might be able to trick it into making a request on their behalf to one of the servers on the local network. The architects of these systems often assume these secondary servers will only receive requests from trusted clients (since they're behind a firewall) so their request validation may be minimal or non-existent.
Sanitize and validate all client-supplied input data
Use a positive allow-list the for the URL's schema, port and destination
Do not send raw responses to clients
Disable HTTP redirections