diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
index 5632761a54..abeb8f6bda 100644
--- a/apps/sim/lib/core/security/input-validation.ts
+++ b/apps/sim/lib/core/security/input-validation.ts
@@ -1,6 +1,7 @@
 import dns from 'dns/promises'
 import http from 'http'
 import https from 'https'
+import type { LookupFunction } from 'net'
 import { createLogger } from '@sim/logger'
 import * as ipaddr from 'ipaddr.js'
 
@@ -907,26 +908,28 @@ export async function secureFetchWithPinnedIP(
     const isIPv6 = resolvedIP.includes(':')
     const family = isIPv6 ? 6 : 4
 
-    const agentOptions = {
-      lookup: (
-        _hostname: string,
-        _options: unknown,
-        callback: (err: NodeJS.ErrnoException | null, address: string, family: number) => void
-      ) => {
+    const lookup: LookupFunction = (_hostname, options, callback) => {
+      if (options.all) {
+        callback(null, [{ address: resolvedIP, family }])
+      } else {
         callback(null, resolvedIP, family)
-      },
+      }
     }
 
-    const agent = isHttps
-      ? new https.Agent(agentOptions as https.AgentOptions)
-      : new http.Agent(agentOptions as http.AgentOptions)
+    const agentOptions: http.AgentOptions = { lookup }
+
+    const agent = isHttps ? new https.Agent(agentOptions) : new http.Agent(agentOptions)
+
+    // Remove accept-encoding since Node.js http/https doesn't auto-decompress
+    // Headers are lowercase due to Web Headers API normalization in executeToolRequest
+    const { 'accept-encoding': _, ...sanitizedHeaders } = options.headers ?? {}
 
     const requestOptions: http.RequestOptions = {
       hostname: parsed.hostname,
       port,
       path: parsed.pathname + parsed.search,
       method: options.method || 'GET',
-      headers: options.headers || {},
+      headers: sanitizedHeaders,
       agent,
       timeout: options.timeout || 30000,
     }