MCP TypeScript SDK (V2) / @modelcontextprotocol/express / middleware/hostHeaderValidation
middleware/hostHeaderValidation
Functions
hostHeaderValidation()
hostHeaderValidation(
allowedHostnames):RequestHandler
Defined in: middleware/express/src/middleware/hostHeaderValidation.ts:23
Express middleware for DNS rebinding protection. Validates Host header hostname (port-agnostic) against an allowed list.
This is particularly important for servers without authorization or HTTPS, such as localhost servers or development servers. DNS rebinding attacks can bypass same-origin policy by manipulating DNS to point a domain to a localhost address, allowing malicious websites to access your local server.
Parameters
allowedHostnames
string[]
List of allowed hostnames (without ports). For IPv6, provide the address with brackets (e.g., [::1]).
Returns
RequestHandler
Express middleware function
Example
const middleware = hostHeaderValidation(['localhost', '127.0.0.1', '[::1]']);
app.use(middleware);localhostHostValidation()
localhostHostValidation():
RequestHandler
Defined in: middleware/express/src/middleware/hostHeaderValidation.ts:50
Convenience middleware for localhost DNS rebinding protection. Allows only localhost, 127.0.0.1, and [::1] (IPv6 localhost) hostnames.
Returns
RequestHandler
Example
app.use(localhostHostValidation());