Sandboxing code and actions
When agents run code, browsers, or filesystem operations, use strong isolation—containers, VMs, or dedicated remote sandboxes—not the developer laptop.
Principles
- No host secrets in the sandbox filesystem or environment.
- Egress control — Allowlist domains; block cloud metadata IPs (
169.254.169.254). - Ephemeral environments — Destroy after task completion.
- Resource caps — CPU, memory, wall time.
Browser automation
Headless browsers are SSRF amplifiers—block file://, internal hostnames, and redirect chains to internal networks unless explicitly allowed.