{"title":"SSRF Guardrails: Preventing Internal Proxying","region":"Global","category":"Security","description":"Stopping agents from accessing internal cloud metadata or local IP ranges.","lastUpdated":"2026-02-23","steps":["Block agent tool access to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).","Disable access to Cloud Metadata endpoints (e.g., 169.254.169.254).","Enforce a 'Non-Recursive' redirect policy for all agent-initiated HTTP calls.","Use a dedicated Egress Proxy to filter all outgoing tool traffic.","Validate and sanitize URLs before passing them to any 'Read' or 'Fetch' tool."],"url":"https://checklist.day/ssrf-guardrails-preventing-internal-proxying"}