[DOCS] Domain fronting security warning lacks list of high-risk domains and mitigation guidance
Documentation Type
Missing documentation (feature not documented)
Documentation Location
- https://code.claude.com/en/sandboxing (Security Limitations section) - https://platform.claude.com/en/agent-sdk/secure-deployment (Security considerations section)
Section/Topic
Sandboxing page — "Security Limitations" section, domain fronting warning: > Users should be aware of potential risks that come from allowing broad domains like github.com that may allow for data exfiltration. Also, in some cases it may be possible to bypass the network filtering through domain fronting. Secure Deployment page — "Security considerations" under Sandbox runtime: > No TLS inspection: The proxy allowlists domains but doesn't inspect encrypted traffic. If the agent has permissive credentials for an allowed domain, ensure it isn't possible to use that domain to trigger other network requests or to exfiltrate data.
Current Documentation
From sandboxing.md:
<Warning>
Users should be aware of potential risks that come from allowing broad domains like `github.com` that may allow for data exfiltration. Also, in some cases it may be possible to bypass the network filtering through [domain fronting](https://en.wikipedia.org/wiki/Domain_fronting).
</Warning>
From secure-deployment.md:
2. **No TLS inspection**: The proxy allowlists domains but doesn't inspect encrypted traffic. If the agent has permissive credentials for an allowed domain, ensure it isn't possible to use that domain to trigger other network requests or to exfiltrate data.
What's Wrong or Missing?
The documentation warns users about domain fronting but provides no actionable guidance:
- No list of high-risk domains — Users don't know which domains enable domain fronting. CDN and cloud provider domains are particularly dangerous:
*.cloudfront.net— Any CloudFront origin is reachable*.cloudflare.com— Any Cloudflare-proxied site*.azureedge.net— Azure CDN*.googleapis.com— Various Google services- Major cloud platforms that host arbitrary customer backends
- No mitigation strategies — The warning says "be aware" but doesn't explain how to reduce risk beyond avoiding broad domains.
- Disconnected guidance — The sandboxing page and secure-deployment page both discuss this limitation but don't cross-reference each other or provide a unified mitigation approach.
- "Broad domains" is vague —
github.comis mentioned as an example, but users need to understand why (it hosts arbitrary user content) and which other domains share this characteristic.
Suggested Improvement
Add a structured section on network domain risks with actionable guidance:
### High-risk domain patterns
When configuring allowed domains, be aware that some domains can serve content from arbitrary origins, potentially enabling data exfiltration even when you've restricted network access.
| Domain Pattern | Risk |
|----------------|------|
| `*.cloudfront.net` | Any CloudFront distribution is reachable |
| `*.cloudflare.com` | Any Cloudflare-proxied site |
| `*.azureedge.net` | Azure CDN endpoints |
| `*.fastly.net` | Fastly CDN endpoints |
| `github.com`, `githubusercontent.com` | User-controlled content hosting |
| `*.s3.amazonaws.com` | Any public S3 bucket |
**Mitigation options:**
1. **Prefer specific subdomains** — Allow `api.github.com` rather than `*.github.com`
2. **Use IP allowlists when possible** — For critical APIs with stable IPs
3. **Enable TLS inspection** — Custom proxies can verify SNI matches the Host header
4. **Consider a dedicated egress proxy** — Route all traffic through an inspecting proxy that logs and validates requests
For high-security deployments, see [Securely deploying AI agents](/en/agent-sdk/secure-deployment) for proxy architectures that provide defense in depth.
Impact
High - Prevents users from using a feature
Additional Context
Affected files:
| File | Location in Mirror |
|------|-------------------|
| Sandboxing | code-claude/docs/en/sandboxing.md:175-177 |
| Secure Deployment | platform-claude/docs/en/agent-sdk/secure-deployment.md:99 |
| Security (related) | code-claude/docs/en/security.md |
Cross-reference opportunity: The sandboxing page should link to the secure-deployment page's proxy architecture section, and vice versa.
Current model references: https://docs.anthropic.com/en/docs/about-claude/models
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗