Security & Constraints
When building systems that accept arbitrary URLs, robust security boundaries are essential. The URL Media Inspector enforces strict limitations to prevent abuse, infrastructure exhaustion, and network scanning.
Content Security Policy
The API serves Swagger UI with a strict Content Security Policy (CSP) enforced via Helmet. The CSP governs which resources the browser is allowed to load and connect to.
Key Directives
| Directive | Value | Purpose |
|---|---|---|
default-src | 'self' | Restricts all resource loading to same-origin by default. |
script-src | 'self' 'unsafe-inline' | Allows Swagger UI's inline scripts. |
style-src | 'self' 'unsafe-inline' | Allows Swagger UI's inline styles. |
img-src | 'self' data: validator.swagger.io | Allows Swagger badge images and data URIs. |
connect-src | 'self' {PUBLIC_API_URL} | Allows Swagger "Try it out" to execute API requests. |
The connect-src directive is dynamically configured based on the PUBLIC_API_URL environment variable. This ensures Swagger UI can execute API requests in both local development and production environments without CSP violations.
Important: If
PUBLIC_API_URLis not set,connect-srcfalls back to'self'only. In production, this means Swagger "Try it out" requests may be blocked if the API is served behind a domain that differs from the page origin.
Content Length Limitations
To prevent Memory/Disk exhaustion, the API enforces a strict upper limit on the total bytes it will process.
- Large files will be rejected immediately based on their
Content-Lengthheader. - If a server omits the
Content-Lengthheader, the data stream is strictly piped with an active byte-counter. Once the limit is exceeded, the connection is forcefully destroyed.
Supported Protocols
The API strictly limits connection protocols to prevent protocol-smuggling.
- Allowed:
http:,https: - Blocked:
ftp:,file:,gopher:,data:
Header Sanitization
When making outbound requests, the API removes identifying headers and uses a standard User-Agent. This minimizes tracking and ensures the requests appear standard.
SSRF Protection
Server-Side Request Forgery protection is always enabled. See SSRF Protection for details on DNS verification, IP denylist enforcement, and redirect chain validation.