fix(api): gate enterprise ZDR/anon search behind searchZDR permission (firecrawl#3167)

firecrawl-spring[bot] · micahstairs · web-flow · commit be165ab0e55b · 2026-03-17T10:45:43.000-04:00
The v2 search and x402-search controllers accept an `enterprise`
parameter for ZDR/anon search but never verified the team has the
searchZDR flag enabled. Any authenticated user could pass
enterprise=["zdr"] or enterprise=["anon"] and use the feature (just
paying higher credits). Add a getSearchZDR() check that returns 403
when the team lacks the searchZDR: "allowed" or "forced" flag.

Co-authored-by: firecrawl-spring[bot] &lt;254786068+firecrawl-spring[bot]@users.noreply.github.com&gt;
Co-authored-by: micahstairs &lt;micah@sideguide.dev&gt;
diff --git a/apps/api/src/controllers/v2/search.ts b/apps/api/src/controllers/v2/search.ts
@@ -90,6 +90,18 @@ export async function searchController(
     zeroDataRetention = isZDROrAnon ?? false;
     applyZdrScope(isZDROrAnon ?? false);
 
+    // Verify the team has searchZDR enabled before allowing enterprise ZDR/anon
+    if (isZDROrAnon) {
+      const searchMode = getSearchZDR(req.acuc?.flags);
+      if (searchMode !== "allowed" && searchMode !== "forced") {
+        return res.status(403).json({
+          success: false,
+          error:
+            "Zero Data Retention (ZDR) search is not enabled for your team. Contact support@firecrawl.com to enable this feature.",
+        });
+      }
+    }
+
     if (!agentRequestId) {
       await logRequest({
         id: jobId,
diff --git a/apps/api/src/controllers/v2/x402-search.ts b/apps/api/src/controllers/v2/x402-search.ts
@@ -243,6 +243,20 @@ export async function x402SearchController(
       origin: req.body.origin,
     });
 
+    // Verify the team has searchZDR enabled before allowing enterprise ZDR/anon
+    const isZDR = req.body.enterprise?.includes("zdr");
+    const isAnon = req.body.enterprise?.includes("anon");
+    if (isZDR || isAnon) {
+      const searchMode = getSearchZDR(req.acuc?.flags);
+      if (searchMode !== "allowed" && searchMode !== "forced") {
+        return res.status(403).json({
+          success: false,
+          error:
+            "Zero Data Retention (ZDR) search is not enabled for your team. Contact support@firecrawl.com to enable this feature.",
+        });
+      }
+    }
+
     await logRequest({
       id: jobId,
       kind: "search",
