Sandboxing code and actions
When agents run code, browsers, or filesystem operations, use strong isolation, containers, VMs, or dedicated remote sandboxes, not the developer laptop.
Principles
- No host secrets in the sandbox filesystem or environment.
- Egress control: Allowlist domains; block cloud metadata IPs (
169.254.169.254). - Ephemeral environments: Destroy after task completion.
- Resource caps: CPU, memory, wall time.
Browser automation
Headless browsers are SSRF amplifiers, block file://, internal hostnames, and redirect chains to internal networks unless explicitly allowed.