HTTP Source
2 minute read
About
The HTTP Source allows Toolbox to retrieve data from arbitrary HTTP endpoints. This enables Generative AI applications to access data from web APIs and other HTTP-accessible resources.
Available Tools
HTTP Source Tools
| Tool Name | Description |
|---|---|
| http | A "http" tool sends out an HTTP request to an HTTP endpoint. |
Example
kind: source
name: my-http-source
type: http
baseUrl: https://api.example.com/data
timeout: 10s # default to 30s
headers:
Authorization: Bearer ${API_KEY}
Content-Type: application/json
queryParams:
param1: value1
param2: value2
# returnFullError: false
# disableSslVerification: false
Tip
Use environment variable replacement with the format ${ENV_NAME} instead of hardcoding your secrets into the configuration file.
Reference
| field | type | required | description |
|---|---|---|---|
| type | string | true | Must be “http”. |
| baseUrl | string | true | The base URL for the HTTP requests (e.g., https://api.example.com). |
| timeout | string | false | The timeout for HTTP requests (e.g., “5s”, “1m”, refer to ParseDuration for more examples). Defaults to 30s. |
| headers | map[string]string | false | Default headers to include in the HTTP requests. |
| queryParams | map[string]string | false | Default query parameters to include in the HTTP requests. |
| returnFullError | bool | false | Include raw upstream response bodies in error messages for non-2xx responses. Defaults to false. |
| disableSslVerification | bool | false | Disable SSL certificate verification. This should only be used for local development. Defaults to false. |
| allowPrivateNetworks | bool | false | Allow requests and redirects to loopback and private networks (RFC 1918 / link-local). Defaults to false. |
| allowedIpRanges | []string | false | List of IP addresses or CIDR blocks to explicitly allow (whitelisted overrides). |
| customBlockedIpRanges | []string | false | List of IP addresses or CIDR blocks to explicitly block. |
Advanced Usage
SSRF Protection (SSRF Guard)
By default, the HTTP source implements strict protection against Server-Side Request Forgery (SSRF) and DNS Rebinding (TOCTOU) attacks. It automatically intercepts, resolves, and blocks connection requests to private IP ranges, loopback ranges (such as 127.0.0.1), and link-local ranges (e.g. AWS/GCP metadata service at 169.254.169.254).
To override the default protection or block custom ranges, configure allowPrivateNetworks, allowedIpRanges, and customBlockedIpRanges:
kind: source
name: my-http-source
type: http
baseUrl: https://internal.corp/api
allowedIpRanges:
- 10.0.0.0/24 # Explicitly trust internal subnet
customBlockedIpRanges:
- 10.0.0.99 # Block a specific sensitive host inside the subnet
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.