diff --git a/src/services/ssrf.ts b/src/services/ssrf.ts
index 40dee02..aaa4d4f 100644
--- a/src/services/ssrf.ts
+++ b/src/services/ssrf.ts
@@ -24,7 +24,13 @@ const BLOCKED_HOSTS = [
   /^kubernetes/,
 ];
 
+const MAX_URL_LENGTH = 2048;
+
 export async function validateUrl(urlStr: string): Promise<{ hostname: string; resolvedIp: string }> {
+  if (!urlStr || urlStr.length > MAX_URL_LENGTH) {
+    throw new Error(`Invalid URL: must be between 1 and ${MAX_URL_LENGTH} characters`);
+  }
+
   let parsed: URL;
   try {
     parsed = new URL(urlStr);