Skip to content
AnglinAI Docs

ERR_URL_SSRF_BLOCKED β€” URL SSRF Blocked

HTTP Status: 400 Retryable: No Automatic retry: None. The URL is permanently blocked by the security validator.

What the User Sees

This URL cannot be fetched for security reasons. (ERR_URL_SSRF_BLOCKED)

What Causes This Error

The URL provided for the β€œfetch from URL” feature failed SSRF (Server-Side Request Forgery) validation in utils/url-validator.ts. The validator blocks URLs that could be used to access internal infrastructure or non-public resources.

Blocked URL categories include: private IP addresses (10.x.x.x, 192.168.x.x, 172.16.x.x-172.31.x.x), loopback addresses (127.0.0.1, localhost, ::1), link-local addresses (169.254.x.x), non-HTTP/HTTPS protocols (file://, ftp://, gopher://), cloud metadata endpoints (169.254.169.254, metadata.google.internal), and any hostname that resolves to a private or reserved IP address.

This security check prevents attackers from using the URL fetch feature to probe or access internal services, cloud metadata APIs, or other resources that should not be accessible from the public internet. It is a critical security control that must not be weakened.

Resolution Steps

For Users

  1. Only publicly accessible HTTP or HTTPS URLs are supported. The URL must point to a file on the public internet.
  2. Download the file manually to your computer and upload it directly instead of using the URL fetch feature.
  3. If the file is on an intranet or private network, download it from that network and then upload the local copy.
  4. Make sure the URL uses http:// or https:// protocol β€” other protocols are not supported.

For Administrators

  1. No admin action is needed β€” this is working as designed and is a critical security control.
  2. The SSRF validator is in utils/url-validator.ts. Do NOT weaken these checks, even for β€œtrusted” internal URLs.
  3. If legitimate URLs are being incorrectly blocked, review the validator logic for false positives. Ensure DNS resolution is being checked (some URLs may resolve to private IPs even though the hostname appears public).
  4. Monitor Grafana logs for SSRF block events to detect potential attack patterns. Frequent SSRF block attempts from the same user or IP may indicate malicious activity.