Rule catalog · Transport security

Probe redirects are within the safe bound

transport_redirects_within_boundinfoweight 1Perimeter

Authored by Stanley Hong · AgentReserve (founder).

The probe completed within the 3-redirect cap enforced by `safeFetch`. Long redirect chains complicate SSRF defense and indicate misconfigured deployments.

When this rule runs

Evaluated on every scan — observable from the URL, TLS handshake, or HTTP response headers, even when the MCP layer is auth-walled or unresponsive.

Why it matters

Each redirect is a fresh SSRF check the client has to honor. Capping at 3 keeps the verification surface small while still tolerating standard CDN / TLS-termination redirects.

Pass condition

Probe completed without tripping the 3-redirect cap.

Fail condition

Probe was aborted by the redirect cap (`REDIRECT_LIMIT_EXCEEDED`).

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"redirectCap": 3}
```

Remediation

Serve the MCP endpoint at a stable URL with at most one or two redirects.

Methodology

This rule belongs to the Transport security dimension. How the server is reached on the wire. Covers TLS and protocol-level confidentiality of probe traffic.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog