Security
SSRF
Learn what SSRF means for hosted MCP tools, website-to-MCP generation, private network blocking, and safe URL handling.
Definition
SSRF, or server-side request forgery, is a vulnerability where an attacker makes a server request internal, private, or sensitive network targets. For hosted MCP runtimes, SSRF matters whenever a tool fetches URLs or follows user-controlled links.
How Astrail Uses It
Astrail blocks local and private-network targets in website-to-MCP and runtime fetch paths. This prevents generated tools from being used to probe metadata services, loopback addresses, internal dashboards, or tenant-private services.
Implementation Checklist
Resolve hostnames before fetch and block private, loopback, link-local, and metadata IP ranges.
Re-check redirects instead of trusting only the first URL.
Bound crawl depth, response size, and request time.
Log blocked destinations without returning sensitive infrastructure details.
FAQ
Why is SSRF a risk for MCP?
Agents can request tool calls with URLs or source documents. If the server fetches those URLs unchecked, an attacker can turn the hosted runtime into a network probe.
Does auth fully solve SSRF?
No. Auth tells you who called the tool. Network policy still needs to decide which destinations the server is allowed to reach.