diff --git a/src/infra/net/ssrf.test.ts b/src/infra/net/ssrf.test.ts
index 2698bf3db9e..637bd5c2e9e 100644
--- a/src/infra/net/ssrf.test.ts
+++ b/src/infra/net/ssrf.test.ts
@@ -111,19 +111,23 @@ describe("normalizeFingerprint", () => {
 });
 
 describe("isBlockedHostnameOrIp", () => {
-  it("blocks localhost.localdomain and metadata hostname aliases", () => {
-    expect(isBlockedHostnameOrIp("localhost.localdomain")).toBe(true);
-    expect(isBlockedHostnameOrIp("metadata.google.internal")).toBe(true);
+  it.each([
+    "localhost.localdomain",
+    "metadata.google.internal",
+    "api.localhost",
+    "svc.local",
+    "db.internal",
+  ])("blocks reserved hostname %s", (hostname) => {
+    expect(isBlockedHostnameOrIp(hostname)).toBe(true);
   });
 
-  it("blocks private transition addresses via shared IP classifier", () => {
-    expect(isBlockedHostnameOrIp("2001:db8:1234::5efe:127.0.0.1")).toBe(true);
-    expect(isBlockedHostnameOrIp("2001:db8::1")).toBe(false);
-  });
-
-  it("blocks IPv4 special-use ranges but allows adjacent public ranges", () => {
-    expect(isBlockedHostnameOrIp("198.18.0.1")).toBe(true);
-    expect(isBlockedHostnameOrIp("198.20.0.1")).toBe(false);
+  it.each([
+    ["2001:db8:1234::5efe:127.0.0.1", true],
+    ["2001:db8::1", false],
+    ["198.18.0.1", true],
+    ["198.20.0.1", false],
+  ])("returns %s => %s", (value, expected) => {
+    expect(isBlockedHostnameOrIp(value)).toBe(expected);
   });
 
   it("supports opt-in policy to allow RFC2544 benchmark range", () => {
@@ -134,10 +138,15 @@ describe("isBlockedHostnameOrIp", () => {
     expect(isBlockedHostnameOrIp("198.51.100.1", policy)).toBe(true);
   });
 
-  it("blocks legacy IPv4 literal representations", () => {
-    expect(isBlockedHostnameOrIp("0177.0.0.1")).toBe(true);
-    expect(isBlockedHostnameOrIp("8.8.2056")).toBe(true);
-    expect(isBlockedHostnameOrIp("127.1")).toBe(true);
-    expect(isBlockedHostnameOrIp("2130706433")).toBe(true);
+  it.each(["0177.0.0.1", "8.8.2056", "127.1", "2130706433"])(
+    "blocks legacy IPv4 literal %s",
+    (address) => {
+      expect(isBlockedHostnameOrIp(address)).toBe(true);
+    },
+  );
+
+  it("does not block ordinary hostnames", () => {
+    expect(isBlockedHostnameOrIp("example.com")).toBe(false);
+    expect(isBlockedHostnameOrIp("api.example.net")).toBe(false);
   });
 });