Outbound traffic. Validated.Private networks. Unreachable.
Every outbound request is DNS-resolved, IP-validated, and pinned before it leaves. Private networks are physically unreachable — enforced by default, on every deployment.
Two ways in. Same checkpoint out.
Both deployment paths funnel outbound traffic through the same safeFetch proxy — egress rules stay consistent regardless of how your MCP server runs.
Bring your REST API
Paste your OpenAPI URL. The platform parses the spec, generates MCP tools, and proxies every API call through safeFetch.
Your backend stays untouched. Every tool invocation becomes an HTTP call to your endpoint. The AI talks to the proxy, the proxy talks to your API.
Deploy custom handlers
Write JavaScript handlers and deploy your MCP server to the edge. Runs inside a V8 isolate — zero raw network socket access.
The host bridge intercepts fetch calls and wires an AbortController to the SSE connection. SSE drops, every pending request dies.
Three checks. Then you're through.
safeFetch is a 53-line function in SsrfGuard.ts sitting between your MCP server and the network. Not a firewall, not a WAF, not a proxy chain.
DNS Resolution
Before the request is made, the hostname is resolved to an IP address. The IP — not the hostname — is what gets inspected next.
Private IP Gate
The resolved IP is matched against 9 regex patterns covering loopback, Class A/B/C private, link-local, and IPv6 ranges. Match found → SSRF_BLOCKED.
IP Pinning
A custom undici Agent with the resolved IP hardcoded in the DNS lookup callback — preventing DNS rebinding. TLS/SNI works correctly.
Hard limits.
Not guidelines.Every hostname resolved before connection. The resolved IP is what gets validated — not the hostname. DNS rebinding is impossible.
Private networks unreachable. Cloud metadata endpoints sealed. Only public IPs pass through the checkpoint.
SSE connection drops — every pending outbound request dies. AbortController cascade. No orphaned connections.
"The proxy is the ceiling. Exceed it, and the request dies."
Egress isn't just about IP addresses.
Blocking private IPs handles network-level SSRF. But what about sensitive data leaving your MCP server through valid responses? The Presenter layer acts as a compile-time egress firewall for your data.
Zod schemas define what leaves. Undeclared fields are stripped in RAM before serialization. @vurb.hide removes fields at the schema definition level — they never exist in the output type.
Read every line.
Before you trust us.
The entire egress protection layer for your MCP server — open source, auditable, forkable.
Built on undici
Node.js native HTTP client. Agent API for DNS lookup override and IP pinning. No third-party dependencies.
Deterministic validation
9 regex patterns against the resolved IP. Same input, same output. No ML heuristics, no probabilistic blocking.
Fully open source
safeFetch, Presenter schemas, Zod validation, governance rules. Apache 2.0. Fork it, audit it, run it yourself.
Paste your API URL. Egress is handled.
safeFetch is injected the moment you deploy your MCP server. Both paths — API proxy and custom handlers — get the same checkpoint. Nothing to install, nothing to configure.
Free tier · No credit card required