Home/ Docs/ Installation, Setup Wizard & Deployment/ What is the "Fetch images" step after import and how does it work safely (SSRF protections)?
Installation, Setup Wizard & Deployment

What is the "Fetch images" step after import and how does it work safely (SSRF protections)?

"Fetch images" is a separate, re-runnable step that reads the image-URL column from your catalogue and downloads each image, processes it, and links it to the product. Because fetching arbitrary URLs server-side is a classic Server-Side Request Forgery (SSRF) risk, the fetcher is hardened: it allows only http/https; **rejects loopback, private, link-local, cloud-metadata, CGNAT, and multicast…

"Fetch images" is a separate, re-runnable step that reads the image-URL column from your catalogue and downloads each image, processes it, and links it to the product. Because fetching arbitrary URLs server-side is a classic Server-Side Request Forgery (SSRF) risk, the fetcher is hardened: it allows only http/https; rejects loopback, private, link-local, cloud-metadata, CGNAT, and multicast addresses (and their IPv6 equivalents); enforces a content-type allowlist; applies a 15-second timeout; and caps downloads at 10 MB. Failures are silent and counted (the product simply keeps its default placeholder). This lets you bulk-attach product imagery from a spreadsheet without exposing your server to internal-network probing. *(One known residual is a DNS-rebinding timing gap, tracked for hardening.)*