Retrieval & Document Workflows

Web Fetch URL Validation: Why Claude Can Only Fetch URLs Already in Context

The web fetch tool ships with a built-in guardrail: Claude cannot invent a URL and fetch it. Understanding what that rule does — and does not — protect against is the security half of adopting the tool.

Claude 3P 101 · Updated July 2026 · Unofficial guide

The web fetch tool lets Claude retrieve the full content of a web page or PDF during a conversation — the natural companion to web search, which finds pages but returns only result snippets. A tool that makes outbound HTTP requests from your AI system is also, from a security team's perspective, a potential data-exfiltration channel. Anthropic addresses this with a structural restriction called URL validation, and it is the first thing to understand before enabling the tool.

The rule: fetchable URLs must already be in the conversation

Web fetch will only retrieve URLs that are already present in the conversation context: URLs the user included in messages, URLs returned by client-side tool results, and URLs that earlier web search or web fetch calls produced. Claude cannot fetch a URL it constructed itself.

Why does that matter? The classic exfiltration pattern against tool-using models is prompt injection: malicious text in a processed document instructs the model to encode sensitive data from the conversation into a URL — https://attacker.example/?data=<secrets> — and fetch it, delivering the payload to the attacker's server as a request log entry. URL validation breaks the "encode data into a fresh URL" step: a URL carrying newly encoded secrets, by construction, did not previously exist in context, so the fetch is refused.

The residual risk the docs still warn about

Anthropic's documentation is candid that URL validation reduces, rather than eliminates, exfiltration risk. The remaining surface: an attacker who can influence which of several already-in-context URLs gets fetched, or who can arrange for attacker-controlled URLs to enter context through legitimate channels (a document containing both injected instructions and a list of pre-built URLs, where the choice among them leaks a signal). The information-per-request is far lower than free-form URL construction, but it is not zero. Accordingly, the docs recommend that sensitive environments tighten the tool's configuration — or disable it entirely where the risk is unacceptable.

The three controls that shrink the surface

tools=[{
    "type": "web_fetch_20260309",
    "name": "web_fetch",
    "max_uses": 3,
    "allowed_domains": ["docs.example.com"],
    "max_content_tokens": 20000,
}]

Smaller mechanics to know: URLs are limited to 250 characters (longer ones return a url_too_long error); results are served from a managed cache by default, with "use_cache": false available from version web_fetch_20260309 to force a fresh fetch; fetched pages arrive as document blocks with a retrieved_at timestamp, PDFs as base64 document blocks; JavaScript-rendered sites are not supported. Citations on fetched content are optional and off by default — enable them if your UI attributes claims to pages. There are no per-fetch fees; you pay only token costs.

Platform availability

Web fetch is available on the Claude API, Claude Platform on AWS, and Microsoft Foundry (Hosted on Anthropic deployments only). It is not currently available on Amazon Bedrock or Google Cloud — on those platforms, retrieval of web content is something your own code does before the model call.

Where to go next

See the web fetch tool overview for request anatomy, and web search tool versions for the search-then-fetch pattern where Claude locates a resource and then reads it in full.

Sources