llm4s-core
API
Generated with
llm4s-core/org.llm4s/org.llm4s.toolapi/org.llm4s.toolapi.builtin/org.llm4s.toolapi.builtin.http/HttpConfig

HttpConfig

org.llm4s.toolapi.builtin.http.HttpConfig
See theHttpConfig companion object
case class HttpConfig(allowedDomains: Option[Seq[String]], blockedDomains: Seq[String], blockInternalIPs: Boolean, maxResponseSize: Long, timeoutMs: Int, followRedirects: Boolean, maxRedirects: Int, allowedMethods: Seq[String], userAgent: String)

Configuration for HTTP tool.

== Security == By default, HTTPTool is configured with safe defaults:

  • Only GET and HEAD methods are allowed (read-only)
  • Internal IP ranges are blocked (10.x, 172.16-31.x, 192.168.x)
  • Cloud metadata endpoints are blocked (169.254.169.254)
  • Localhost and loopback addresses are blocked

Value parameters

allowedDomains

Optional list of allowed domains. If None, all domains are allowed.

allowedMethods

HTTP methods that are allowed (default: GET, HEAD for safety).

blockInternalIPs

Whether to block requests to internal/private IP ranges (default: true).

blockedDomains

List of domains that are always blocked.

followRedirects

Whether to follow HTTP redirects. Defaults to false; when true each redirect hop is re-validated against the SSRF filter before the next request is issued (open-redirect bypass prevention).

maxRedirects

Maximum number of redirects to follow.

maxResponseSize

Maximum response size in bytes.

timeoutMs

Request timeout in milliseconds.

userAgent

User-Agent header to use.

Attributes

Companion
object
Graph
Supertypes
trait Serializable
trait Product
trait Equals
class Object
trait Matchable
class Any
Show all

Members list

Value members

Concrete methods

def isDomainAllowed(domain: String): Boolean

Check if a domain is allowed based on blocklist/allowlist configuration.

Check if a domain is allowed based on blocklist/allowlist configuration.

This method performs hostname-based checks only:

  1. Hostname-based blocklist check
  2. Allowlist check (if configured)

Note: IP-based SSRF protection (DNS resolution + IP range validation) is performed at request time by the HTTP tool to avoid expensive DNS lookups during validation.

Attributes

def isMethodAllowed(method: String): Boolean

Check if a method is allowed.

Check if a method is allowed.

Attributes

def validateDomainWithSSRF(domain: String): Boolean

Validate a domain with full SSRF protection including DNS resolution.

Validate a domain with full SSRF protection including DNS resolution.

This performs both hostname-based checks and IP-based SSRF protection. Use this at request time when actually making HTTP requests.

Value parameters

domain

The domain to validate

Attributes

Returns

true if the domain is safe to access

def withAllMethods: HttpConfig

Create a copy with all HTTP methods enabled.

Create a copy with all HTTP methods enabled.

WARNING: This enables potentially destructive methods (POST, PUT, DELETE). Only use this when you trust the LLM's judgment and have appropriate safeguards.

Attributes

def withInternalIPsAllowed: HttpConfig

Create a copy with internal IP blocking disabled.

Create a copy with internal IP blocking disabled.

WARNING: This allows requests to internal networks and cloud metadata endpoints. Only use this in controlled environments where SSRF is not a concern.

Attributes

def withRedirectsEnabled: HttpConfig

Create a copy with redirect following enabled.

Create a copy with redirect following enabled.

Each redirect hop is re-validated against the SSRF filter, sensitive headers (Authorization, Cookie) are stripped on cross-origin hops, and 301/302 redirects convert POST to GET per the HTTP specification.

Attributes

Inherited methods

def productElementNames: Iterator[String]

Attributes

Inherited from:
Product
def productIterator: Iterator[Any]

Attributes

Inherited from:
Product
Generated with