I see a minor problem (non security related) with the handling of HTTP redirects. Depending on the exact HTTP code (ex: 303 vs 307), a POST request may need to be converted to GET when redirected: https://tools.ietf.org/html/rfc7231#section-6.4.7

I didn't went through a thorough analysis of the proposed patch, but the global analysis and some specific portions (like DNS rebinding) seem fine. How did you deal with HTTP redirects?

This library may help: https://github.com/fin1te/safecurl

The DNS result will be cached... depending on its TTL. Setting the TTL to 0 is enough to get a fresh request for each resolution.

The protection can be bypassed using HTTP redirects (untested) and DNS re-binding. Cf the HackerOne ticket for details https://hackerone.com/reports/53088