Security

Trust Levels

Every service in the registry has a trust level. By default, only trusted services (verified + community) appear in search results.

Rate Limits

All API endpoints are rate limited to prevent abuse. Limits are per-IP.

When rate limited, the API returns HTTP 429 with a Retry-After header indicating when you can retry.

Domain Protection

To prevent domain squatting, manual submissions are blocked for major domains (Google, Amazon, Stripe, GitHub, etc.). To register a protected domain, use auto-discover mode — the service must actually host a /.well-known/agent manifest, proving ownership.

Admin-blocked domains are rejected in all submission modes.

Input Validation

All inputs are validated and sanitized before processing.

• ✓All URLs must use HTTPS (no HTTP, javascript:, data:, or file: schemes)
• ✓SSRF protection: localhost and private IPs are rejected
• ✓HTML tags are stripped from all text fields
• ✓Detail URLs must be relative or same-domain HTTPS
• ✓Domain format validation (no IPs, no ports)

Reporting

Found a service that violates our policies or appears malicious? You can report it directly from the service detail page using the "Report" button, or via the API:

POST /api/reports
Content-Type: application/json

{
  "domain": "suspicious-service.com",
  "reason": "Phishing — impersonating a legitimate service"
}

Reports are reviewed by the AgentDNS team. Confirmed violations result in the service being blocked.

Security Headers

All responses include security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy. CORS is enabled for API endpoints to support cross-origin agent requests.