Definition
Server-side request forgery (SSRF) tricks a server-side component into issuing requests to unintended destinations—often internal IPs, metadata endpoints, or cloud control planes.
How it appears in MCP
Tools that HTTP fetch, webhook, or proxy user-supplied URLs can be steered by model-chosen arguments toward internal networks.
Example pattern
SSRF has featured in major cloud and SaaS incidents; any tool that accepts a URL or host string inherits the class. MCP is the call path, not the root cause.
What MCP Trail does on the Guardian path
On the Guardian path, MCP Trail combines:
- Upstream URL validation for HTTP/HTTPS MCP connectors: resolved addresses must not be loopback, RFC 1918 private space, link-local (including cloud-metadata-style targets), or other blocked ranges by default—shrinking classic SSRF blast radius from misconfigured upstream URLs.
- Strong client authentication (slug + Bearer token per registered server) so anonymous internet callers cannot invoke your tools.
- DLP on tool arguments and JSON results where configured, plus HITL for tools you classify as high risk.
- Structured audit rows for investigations—what was allowed, blocked, or held for approval.
Network segmentation, metadata hardening, and safe tool design upstream remain essential; Guardian addresses what crosses the MCP boundary.
What still needs process
Egress controls, metadata service hardening, and URL allowlists at the application layer.