diff --git a/app/controllers/groups/dependency_proxy_for_containers_controller.rb b/app/controllers/groups/dependency_proxy_for_containers_controller.rb
index 1bab8f6aac6a6786e536ca7e00d06dfafdd63629..19525247d0239e9c6d57852d30e5ad75391017b0 100644
--- a/app/controllers/groups/dependency_proxy_for_containers_controller.rb
+++ b/app/controllers/groups/dependency_proxy_for_containers_controller.rb
@@ -199,7 +199,10 @@ def ssrf_params
     {
       ssrf_filter: true,
       allow_localhost: allow_localhost?,
-      allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris
+      # rubocop:disable Naming/InclusiveLanguage -- existing setting
+      allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris +
+        Gitlab::CurrentSettings.outbound_local_requests_whitelist
+      # rubocop:enable Naming/InclusiveLanguage
     }
   end
 
diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
index 54c81e72379953c02b64caf988be9606f16d17a6..8220c4713a4870baffaccfc37fb27c5ebc0c3ee1 100644
--- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
+++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
@@ -224,12 +224,13 @@
   end
 
   shared_examples 'Allowed endpoints' do
-    let(:allowed_endpoints) do
-      ['http://127.0.0.1:9000']
-    end
+    let(:enabled_endpoint_uris) { [URI('192.168.1.1')] }
+    let(:outbound_local_requests_allowlist) { ['127.0.0.1'] }
+    let(:allowed_endpoints) { enabled_endpoint_uris.map(&:to_s) + outbound_local_requests_allowlist }
 
     before do
-      allow(ObjectStoreSettings).to receive(:enabled_endpoint_uris).and_return(allowed_endpoints)
+      allow(ObjectStoreSettings).to receive(:enabled_endpoint_uris).and_return(enabled_endpoint_uris)
+      stub_application_setting(outbound_local_requests_whitelist: outbound_local_requests_allowlist)
     end
 
     it 'sets AllowedEndpoints' do