Validate a URL for SSRF protection.
This function validates URLs to prevent Server-Side Request Forgery (SSRF) attacks by blocking requests to private networks and cloud metadata endpoints.
The URL to validate (string or Pydantic HttpUrl).
If True, allows private IPs and localhost (for development).
Cloud metadata endpoints are ALWAYS blocked.
If True, allows both HTTP and HTTPS. If False, only HTTPS.
