Minor Changes
- #2286
1823aaeThanks @felixweinberger! - Add Origin header validation alongside the existing Host header validation. The server package gains framework-agnostic helpers (validateOriginHeader,localhostAllowedOrigins,originValidationResponse); the Express, Hono and Fastify adapters gainoriginValidation/
localhostOriginValidationmiddleware and a newallowedOriginsoption on their app factories, which now arm Origin validation by default for localhost-class binds (mirroring the Host validation ladder; the 0.0.0.0-without-allowlist warning is unchanged). Requests
without anOriginheader pass — non-browser MCP clients are unaffected — while a presentOriginthat is not allowed or cannot be parsed (including the opaquenullorigin) is rejected with403. The Node adapter shipshostHeaderValidation/originValidation
request guards for plainnode:httpservers, which previously had no validation helpers.
Patch Changes
- Updated dependencies [
1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,801111e,1823aae,1823aae,6cc7b1c,f0bf785,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae,1823aae]:- @modelcontextprotocol/server@2.0.0-alpha.4