This release adds an MCPGODEBUG flag to opt out of the Content-Type check on POST requests.
Behavior Changes
Prior to v1.6.0 (v1.4.0...v1.5.0), the Content-Type check on POST requests was gated by the same disablecrossoriginprotection MCPGODEBUG flag as the cross-origin protection. In v1.6.0, the cross-origin protection was disabled by default (replaced by the opt-in enableoriginverification flag), but the Content-Type check was kept on unconditionally, leaving no way to disable it.
This release restores an escape hatch for both the Streamable HTTP and SSE transports: setting MCPGODEBUG=disablecontenttypecheck=1 skips the Content-Type: application/json validation on POST requests.
See #957.
What's Changed
- mcp: add MCPGPDEBUG for opt-in Content-Type check by @guglielmo-san in #972
Full Changelog: v1.6.0...v1.6.1