This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/express / middleware/originValidation

middleware/originValidation

Functions

localhostOriginValidation()

localhostOriginValidation(): RequestHandler

Defined in: middleware/express/src/middleware/originValidation.ts:50

Convenience middleware for localhost Origin validation. Allows only origins whose hostname is localhost, 127.0.0.1, or [::1] (IPv6 localhost).

Returns

RequestHandler

Example

ts
app.use(localhostOriginValidation());

originValidation()

originValidation(allowedOriginHostnames): RequestHandler

Defined in: middleware/express/src/middleware/originValidation.ts:23

Express middleware for Origin header validation. Validates the Origin header hostname (port-agnostic) against an allowed list.

Browsers attach an Origin header to cross-origin requests; validating it — alongside Host header validation — protects localhost and development servers against DNS rebinding and cross-site request forgery. Requests without an Origin header pass (non-browser MCP clients do not send one); a present value that is not allowed, or that cannot be parsed, is rejected with 403.

Parameters

allowedOriginHostnames

string[]

List of allowed origin hostnames (without scheme or port). For IPv6, provide the address with brackets (e.g., [::1]).

Returns

RequestHandler

Express middleware function

Example

ts
app.use(originValidation(['localhost', '127.0.0.1', '[::1]']));