Security and target restrictions
Private/reserved IP blocking
Section titled “Private/reserved IP blocking”Targets that resolve to private, reserved, or loopback IP ranges are blocked:
10.0.0.0/8172.16.0.0/12192.168.0.0/16127.0.0.0/8169.254.0.0/16(link-local)::1,fc00::/7,fe80::/10
{ "error": "url rejected: ip 10.0.0.5 is in a blocked range"}The full error envelope is documented in Errors.
DNS resolution is cached and re-validated — SSRF via DNS rebinding is blocked.
Disallowed target classes
Section titled “Disallowed target classes”- Private and reserved IPs (see above)
- Targets on non-standard ports for TCP monitors (restricted to common service ports)
- Targets that actively opt out (see below)
Port restrictions for TCP monitors
Section titled “Port restrictions for TCP monitors”TCP monitors are restricted to a small allowlist of common HTTP-style service ports to prevent the platform being repurposed as a port scanner. The full allowlist is:
80, 443, 8080, 8443, 3000, 5000, 8000, 8888
Any other port returns 400 with an error message naming the allowed set. Database ports (3306, 5432, 6379, 27017), message-queue ports (5672, 9092), and admin-style ports (22, 25, 53, 110, 143, 993, 995) are intentionally not on the list.
URL validation
Section titled “URL validation”All monitor URLs are validated as UTF-8 strings with no null bytes (U+0000) and no ASCII control characters (U+0000–U+001F and U+007F). Violations return 400 before the SSRF guard runs.
Rate limiting and abuse controls
Section titled “Rate limiting and abuse controls”- 200 API requests per minute per account
- Up to 50 monitors per account (up to 100 during extended free tier)
- 10 API keys per account
- Exponential backoff on sustained-down monitors
- Flap detection collapses noisy state transitions
Target owner opt-out
Section titled “Target owner opt-out”Target owners can request opt-out by contacting hello@uptimemonitoring.com. Opted-out domains are blocked from being monitored.