Ensure that your application treats 169.254.169.254 as a protected internal IP. Do not forward responses from this endpoint to external users, as this would leak sensitive identity tokens.
http://169.254.169.254/metadata/identity/oauth2/token Ensure that your application treats 169
: An attacker could steal high-privilege access tokens belonging to the server's identity. Ensure that your application treats 169