Show HN: Agent-fetch – Sandboxed HTTP client with SSRF protection for AI agents
github.comBuilt this because giving AI agents raw HTTP access is scary. agent-fetch is a drop-in HTTP client that blocks SSRF, DNS rebinding, private IP access, and redirect tricks — all at the request level.
It uses its own DNS resolver (Hickory DNS), validates all resolved IPs against a blocklist (loopback, RFC 1918, link-local, cloud metadata, etc.), and pins the TCP connection to the validated IP so there's no TOCTOU gap to exploit.
Also supports domain allowlists/blocklists, rate limiting, body size limits, and timeouts.
Available as a Rust crate and npm package (native Node.js bindings via NAPI).
Built for tool-based agent architectures (MCP, LangChain, etc.) where you control what the agent can call. Not a replacement for container isolation but if your agent only talks to the outside world through HTTP, this locks it down.
GitHub: https://github.com/Parassharmaa/agent-fetch
No comments yet.