Vercel Sandbox now supports allow-listing of egress traffic based on domains. It's really interesting how this works: - You cannot use DNS because people can hardcode the IP - You cannot use IPs because a single IP can host many domains - You could use an HTTP proxy (and many in the industry do) but that only works for HTTP and not other protocols like Redis and Postgres. And it requires the apps to be configured to use the proxy or respect the env var - So, instead, this uses SNI-filtering based on the client-hello header of TLS. This works for all traffic that uses TLS which these days is essentially all traffic
Secure your agents and prevent data exfiltration with Vercel Sandbox. You can now control network traffic by configuring egress policies. vercel.com/changelog/adva…