This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/express / express

express

Interfaces

CreateMcpExpressAppOptions

Defined in: middleware/express/src/express.ts:10

Options for creating an MCP Express application.

Properties

allowedHosts?

optional allowedHosts?: string[]

Defined in: middleware/express/src/express.ts:25

List of allowed hostnames for DNS rebinding protection. If provided, host header validation will be applied using this list. For IPv6, provide addresses with brackets (e.g., '[::1]').

This is useful when binding to '0.0.0.0' or '::' but still wanting to restrict which hostnames are allowed.

allowedOrigins?

optional allowedOrigins?: string[]

Defined in: middleware/express/src/express.ts:37

List of allowed origin hostnames for Origin header validation. If provided, Origin validation will be applied using this list (port-agnostic, hostnames only — the same convention as allowedHosts).

When omitted, Origin validation is automatically enabled for localhost-class binds (the same condition as host validation): requests without an Origin header pass, while a present Origin whose hostname is not localhost-class is rejected with 403.

host?

optional host?: string

Defined in: middleware/express/src/express.ts:15

The hostname to bind to. Defaults to '127.0.0.1'. When set to '127.0.0.1', 'localhost', or '::1', DNS rebinding protection is automatically enabled.

jsonLimit?

optional jsonLimit?: string

Defined in: middleware/express/src/express.ts:46

Controls the maximum request body size for the JSON body parser. Passed directly to Express's express.json({ limit }) option. Defaults to Express's built-in default of '100kb'.

Example
ts
'1mb', '500kb', '10mb'

Functions

createMcpExpressApp()

createMcpExpressApp(options?): Express

Defined in: middleware/express/src/express.ts:75

Creates an Express application pre-configured for MCP servers.

When the host is '127.0.0.1', 'localhost', or '::1' (the default is '127.0.0.1'), DNS rebinding protection middleware is automatically applied to protect against DNS rebinding attacks on localhost servers.

Parameters

options?

CreateMcpExpressAppOptions = {}

Configuration options

Returns

Express

A configured Express application

Examples

Basic usage - defaults to 127.0.0.1 with DNS rebinding protection

ts
const app = createMcpExpressApp();

Custom host - DNS rebinding protection only applied for localhost hosts

ts
const appOpen = createMcpExpressApp({ host: '0.0.0.0' }); // No automatic DNS rebinding protection
const appLocal = createMcpExpressApp({ host: 'localhost' }); // DNS rebinding protection enabled

Custom allowed hosts for non-localhost binding

ts
const app = createMcpExpressApp({ host: '0.0.0.0', allowedHosts: ['myapp.local', 'localhost'] });