diff --git a/lib/packages/ssrf_protection.rb b/lib/packages/ssrf_protection.rb
index 6b42c4decaa15f9944892ac619205d36d9313055..bd3039ef695c91bdbf171b5e9532de60112f568a 100644
--- a/lib/packages/ssrf_protection.rb
+++ b/lib/packages/ssrf_protection.rb
@@ -9,7 +9,10 @@ def self.params_for(package)
       {
         ssrf_filter: true,
         allow_localhost: allow_localhost?,
-        allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris
+        # rubocop:disable Naming/InclusiveLanguage -- existing setting
+        allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris.map(&:to_s) +
+          Gitlab::CurrentSettings.outbound_local_requests_whitelist
+        # rubocop:enable Naming/InclusiveLanguage
       }
     end
 
diff --git a/spec/lib/packages/ssrf_protection_spec.rb b/spec/lib/packages/ssrf_protection_spec.rb
index 4e3c9cc3290a485918ca442722564b8edd963270..c49495381d3f7b083ba3ace55271e8d33b25743e 100644
--- a/spec/lib/packages/ssrf_protection_spec.rb
+++ b/spec/lib/packages/ssrf_protection_spec.rb
@@ -21,15 +21,28 @@
     end
 
     context 'when package type is supported' do
-      it 'returns SSRF protection params for generic package' do
-        result = described_class.params_for(generic_package)
-
-        expect(result).to include(
-          ssrf_filter: true,
-          allow_localhost: true,
-          allowed_endpoints: ObjectStoreSettings.enabled_endpoint_uris
-        )
+      # rubocop:disable Naming/InclusiveLanguage -- existing setting
+      context 'with generic package' do
+        let(:enabled_endpoint_uris) { [URI('192.168.1.1')] }
+        let(:outbound_local_requests_whitelist) { ['127.0.0.1'] }
+        let(:allowed_endpoints) { ['192.168.1.1', '127.0.0.1'] }
+
+        before do
+          allow(ObjectStoreSettings).to receive(:enabled_endpoint_uris).and_return(enabled_endpoint_uris)
+          stub_application_setting(outbound_local_requests_whitelist: outbound_local_requests_whitelist)
+        end
+
+        it 'returns SSRF protection params' do
+          result = described_class.params_for(generic_package)
+
+          expect(result).to include(
+            ssrf_filter: true,
+            allow_localhost: true,
+            allowed_endpoints: allowed_endpoints
+          )
+        end
       end
+      # rubocop:enable Naming/InclusiveLanguage
 
       context 'when in production environment' do
         before do