MCP TypeScript SDK (V2) / @modelcontextprotocol/express / express
express
Interfaces
CreateMcpExpressAppOptions
Defined in: middleware/express/src/express.ts:10
Options for creating an MCP Express application.
Properties
allowedHosts?
optionalallowedHosts?:string[]
Defined in: middleware/express/src/express.ts:25
List of allowed hostnames for DNS rebinding protection. If provided, host header validation will be applied using this list. For IPv6, provide addresses with brackets (e.g., '[::1]').
This is useful when binding to '0.0.0.0' or '::' but still wanting to restrict which hostnames are allowed.
allowedOrigins?
optionalallowedOrigins?:string[]
Defined in: middleware/express/src/express.ts:37
List of allowed origin hostnames for Origin header validation. If provided, Origin validation will be applied using this list (port-agnostic, hostnames only — the same convention as allowedHosts).
When omitted, Origin validation is automatically enabled for localhost-class binds (the same condition as host validation): requests without an Origin header pass, while a present Origin whose hostname is not localhost-class is rejected with 403.
host?
optionalhost?:string
Defined in: middleware/express/src/express.ts:15
The hostname to bind to. Defaults to '127.0.0.1'. When set to '127.0.0.1', 'localhost', or '::1', DNS rebinding protection is automatically enabled.
jsonLimit?
optionaljsonLimit?:string
Defined in: middleware/express/src/express.ts:46
Controls the maximum request body size for the JSON body parser. Passed directly to Express's express.json({ limit }) option. Defaults to Express's built-in default of '100kb'.
Example
'1mb', '500kb', '10mb'Functions
createMcpExpressApp()
createMcpExpressApp(
options?):Express
Defined in: middleware/express/src/express.ts:75
Creates an Express application pre-configured for MCP servers.
When the host is '127.0.0.1', 'localhost', or '::1' (the default is '127.0.0.1'), DNS rebinding protection middleware is automatically applied to protect against DNS rebinding attacks on localhost servers.
Parameters
options?
CreateMcpExpressAppOptions = {}
Configuration options
Returns
Express
A configured Express application
Examples
Basic usage - defaults to 127.0.0.1 with DNS rebinding protection
const app = createMcpExpressApp();Custom host - DNS rebinding protection only applied for localhost hosts
const appOpen = createMcpExpressApp({ host: '0.0.0.0' }); // No automatic DNS rebinding protection
const appLocal = createMcpExpressApp({ host: 'localhost' }); // DNS rebinding protection enabledCustom allowed hosts for non-localhost binding
const app = createMcpExpressApp({ host: '0.0.0.0', allowedHosts: ['myapp.local', 'localhost'] });