Custom blocklists are an Enterprise-only feature. Individual plan users are protected by ThornGuard’s built-in rules.
Domain Blocklists
Block specific upstream MCP server domains that your organization doesn’t want AI agents to access.How It Works
- Configure blocked domains from the Settings page.
- The blocklist is stored per-license in the
license_settingstable as a JSON array. - When a request arrives, the
x-mcp-target-urldomain is checked against the blocklist. - Wildcard patterns are supported —
*.example.comblocks all subdomains.
Example Domain Blocklist
Blocked Requests
- HTTP response: 403 Forbidden
- Audit action:
BLOCKED_CUSTOM_DOMAIN - Details include the blocked domain context.
Command Blocklists
Block specific command patterns that you don’t want AI agents to execute, beyond the built-in blocked signatures.How It Works
- Configure blocked command patterns from the Settings page.
- Patterns are stored per-license in
license_settings.blocked_commandsas a JSON array. - Each pattern is checked as a substring match against the stringified JSON-RPC payload.
- If any pattern matches, the request is immediately blocked.
Example Command Blocklist
Blocked Requests
- HTTP response: 400 Bad Request
- Audit action:
BLOCKED_CUSTOM_COMMAND - Details include the matched command context.
Managing Blocklists
Both domain and command blocklists are managed from the ThornGuard Dashboard → Settings page:- Add entries using the tag input — type a pattern and press Enter.
- Remove entries by clicking the × on any tag.
- Changes take effect immediately on the next request.