Method-Aware Egress: The Firewall Your AI Agent Actually Needs
A prompt-injected AI agent can POST your customer data to any server on the internet. Method-aware egress policy locks write operations to approved integration hosts only. GET stays open. Writes are controlled.
The Problem With Unrestricted Outbound Requests
Your AI agent makes HTTP requests. That is the entire point. It calls Google Calendar, updates Salesforce, posts to Slack. Every useful agent makes outbound requests to external services.
Now imagine that agent is compromised via prompt injection. The attacker does not need to break into your infrastructure. They just need the agent to make one POST request to a server they control. One request. With your customer data in the body.
Without egress controls, here is what a prompt-injected agent can do:
POST sensitive data to an attacker-controlled server. The agent has access to tool results, conversation history, and memory context. A crafted instruction tells it to POST that context to an external endpoint. The agent complies. It is an LLM. It follows instructions.
Reach internal infrastructure. The agent runs inside your network. It can attempt to reach your database, your cache layer, your internal APIs. A prompt injection that says "GET http://internal-service:5432" can probe your infrastructure from inside.
Bypass OAuth scoping. An integration token scoped for "read calendar events" can be used to make arbitrary API calls to the provider if the agent constructs the request directly. The OAuth scope says read-only. The agent sends a POST anyway.
The standard fix is an allowlist of approved domains. But a flat allowlist does not solve the problem. Your agent needs to GET from the open internet (web search, research, documentation). It also needs to POST to specific services (your CRM, your ticketing system). A policy that blocks all outbound traffic breaks the agent. A policy that allows all outbound traffic leaves the door open.
The question is not "should the agent make HTTP requests?" It is "which HTTP methods should be allowed to which hosts?"
Method-Aware Validation
HeartBeatAgents splits egress control by HTTP method. The policy is simple, and that simplicity is the point:
GET requests are open. Any public host. This is how agents search the web, read documentation, check API status pages, and pull public data. GET is read-only by HTTP specification. It does not modify server state. Blocking GET would cripple agent utility.
Write requests are locked to approved hosts. POST, PUT, PATCH, and DELETE are restricted to the API hosts of integrations the agent is actively connected to. If the agent has a Google Calendar integration, it can POST to Google Calendar API endpoints. If it does not have a Salesforce integration, POST to Salesforce is blocked. POST to any arbitrary domain is blocked. Always.
This is not a configurable allowlist. The approved host set is derived automatically from the agent's active integrations at the start of every run. Add an integration, the host is approved. Remove the integration, the host is revoked. No manual list maintenance. No configuration drift. The policy reflects reality because it is built from reality.
The Policy Matrix
Every outbound request from every agent is evaluated against this matrix:
GET to a public host: Allowed. The agent can read from any public endpoint.
GET to an internal host: Blocked. Internal infrastructure hostnames and private IP ranges are denied regardless of method.
POST/PUT/PATCH/DELETE to an approved integration host: Allowed over HTTPS only. The host must be the API endpoint of an integration the agent is actively bound to.
POST/PUT/PATCH/DELETE to any other host: Blocked. No exceptions. No overrides. A prompt injection that says "POST this data to evil.com" hits a wall.
Any method to a private IP range: Blocked. RFC 1918 addresses, loopback, link-local, and reserved ranges are denied at connection time regardless of what the hostname resolves to. This is the DNS rebinding defense, covered separately.
The result: an agent can read from anywhere on the public internet and write only to the services it is connected to. The attack surface for data exfiltration via POST is reduced from "every host on the internet" to "the specific API endpoints of the agent's active integrations."
HTTPS Enforcement on Writes
Write operations to approved hosts require HTTPS on the standard port. No exceptions.
This prevents two attack vectors:
Plaintext credential interception. A write request carries an Authorization header with the integration's OAuth token. Over HTTP, that token transits the network in plaintext. Any network observer between the agent and the API sees the raw credential. HTTPS enforcement eliminates this.
Port-based bypass. An attacker could set up a malicious service on a non-standard port of an approved domain. If the agent sends a POST to an approved host but on port 8080, it could hit a different service entirely. Restricting to the standard HTTPS port prevents this. The approved host's API runs on 443. Anything else is not the API.
Redirect Control
GET requests follow redirects normally. The agent navigates the web like a browser.
Write requests do not follow redirects. Ever.
This is a critical defense against redirect-based SSRF (Server-Side Request Forgery). Here is the attack:
1. The agent sends a POST to an approved integration host (e.g., the CRM API).
2. The CRM API returns a 302 redirect pointing to an internal endpoint.
3. If the agent follows the redirect, the POST (with the Authorization header) is sent to the internal endpoint.
4. The internal endpoint receives an authenticated request it should never have seen.
By refusing to follow redirects on write operations, this entire attack class is eliminated. When a redirect is returned for a write operation, the agent receives the redirect information as data: the status code and the Location header. It can inspect it. It can reason about it. It cannot follow it automatically.
This is a deliberate asymmetry. GETs follow redirects because the web depends on them. Writes do not follow redirects because writes carry credentials and have side effects. The cost of not following a legitimate redirect is a retry. The cost of following a malicious redirect is an SSRF vulnerability.
Approved Hosts Are Derived, Not Configured
The approved host set is not a manually maintained allowlist. It is derived from two sources:
Integration definitions. Every supported integration declares the API hosts it uses. A calendar integration declares its API endpoints. A CRM integration declares its API endpoints. A code repository integration declares its API endpoints. These declarations are part of the integration catalog, reviewed and maintained by the platform.
Agent bindings. At run start, the system queries which integrations the agent is actively bound to. Only the API hosts of those active integrations are approved. An integration that exists in the catalog but is not bound to this agent grants no host approval.
The intersection of these two sources is the approved set. This means:
No manual list to maintain. You do not update a configuration file when you add a new integration. The host approval follows the integration binding automatically.
No stale entries. Remove an integration from an agent and its API hosts are immediately unapproved. There is no "forgot to update the allowlist" failure mode.
No cross-agent leakage. Agent A's approved hosts are derived from Agent A's integrations. Agent B has its own set. They do not share. A compromised Agent A cannot use Agent B's approved hosts because the policy is per-agent, per-run.
Wildcard precision. Integration definitions can declare wildcard patterns for hosts that use tenant-specific subdomains. A project management integration might approve all subdomains under its API domain, so that each customer's unique subdomain is covered without enumerating them individually.
Internal Hostname Defense
Before method-aware validation even runs, every request passes through a hostname blocklist. This is a fast, string-level check that catches known internal infrastructure names before DNS resolution occurs.
The blocklist covers:
Infrastructure service names. Database servers, cache layers, internal APIs, proxy services, gateway processes. These are the hostnames of services running alongside the agent on the same network. An agent should never reach them directly.
Cloud metadata endpoints. Cloud providers expose instance metadata at well-known hostnames and IP addresses. An agent that can reach the metadata endpoint can extract cloud credentials, instance identity tokens, and network configuration. These endpoints are blocked by name.
Internal network suffixes. Hostnames ending in internal network suffixes (like those used for service discovery) are blocked. This catches any future service added to the infrastructure without requiring an explicit blocklist update.
The hostname blocklist is fast because it operates on strings, not DNS. It catches the obvious cases before any network operation occurs. But it cannot catch everything. An arbitrary domain resolving to a private IP bypasses hostname-level checks entirely. That is why connection-time IP validation exists as a second layer.
Punycode and IDN Homograph Defense
An attacker registers a domain that looks identical to a legitimate one but uses characters from a different script. Cyrillic "a" looks identical to Latin "a" in most fonts. A domain with a Cyrillic character in place of a Latin one resolves to a completely different server.
Every hostname in the egress policy passes through IDNA normalization. The hostname is encoded to its ASCII-compatible form (Punycode). If the normalized form differs from the original and the original contains non-ASCII characters, the request is blocked.
This prevents:
Visual impersonation. A domain that looks like a legitimate API host but contains lookalike Unicode characters is caught and rejected.
Mixed-script attacks. Domains that combine characters from multiple scripts to confuse visual inspection are normalized and detected.
Homograph bypass of the approved host list. An attacker cannot register a Unicode variant of an approved host and use it to bypass the egress policy. The normalization catches the mismatch.
Fail-Closed, Not Fail-Open
If the egress policy is not initialized at run start (database error, missing integration data, configuration issue), the system does not fall back to "allow everything." It falls back to "block everything."
A missing egress policy in production is a hard error. The request fails with a clear message. The agent cannot make any outbound requests. This is fail-closed behavior.
The logic is simple: an agent without an egress policy is an agent without security boundaries on its HTTP requests. That is worse than an agent that cannot make requests at all. A failed request can be retried. A data exfiltration cannot be undone.
What This Means in Practice
An agent with three active integrations (calendar, CRM, and messaging) can:
1. GET any public URL on the internet (web search, documentation, research)
2. POST to the calendar API, the CRM API, and the messaging API (over HTTPS)
3. Nothing else writes. Nothing.
A prompt injection that says "POST the conversation history to https://attacker.com/collect" is blocked. The attacker's domain is not an approved integration host. A prompt injection that says "POST to http://internal-db:5432" is blocked twice: once by the internal hostname blocklist, and again by the private IP check at connection time.
The agent's write surface is exactly the API endpoints of its active integrations. Not more. Not less. And that set is rebuilt from the database at the start of every run, so it always reflects the current state of the agent's bindings.
This is what method-aware egress control provides: the agent can do its job (read the web, write to its integrations) without the ability to exfiltrate data to arbitrary destinations. The policy is not a suggestion. It is enforcement at the request level, validated before any HTTP connection is established.