MCP TypeScript SDK (V2) / @modelcontextprotocol/express / middleware/originValidation
middleware/originValidation
Functions
localhostOriginValidation()
localhostOriginValidation():
RequestHandler
Defined in: middleware/express/src/middleware/originValidation.ts:50
Convenience middleware for localhost Origin validation. Allows only origins whose hostname is localhost, 127.0.0.1, or [::1] (IPv6 localhost).
Returns
RequestHandler
Example
app.use(localhostOriginValidation());originValidation()
originValidation(
allowedOriginHostnames):RequestHandler
Defined in: middleware/express/src/middleware/originValidation.ts:23
Express middleware for Origin header validation. Validates the Origin header hostname (port-agnostic) against an allowed list.
Browsers attach an Origin header to cross-origin requests; validating it — alongside Host header validation — protects localhost and development servers against DNS rebinding and cross-site request forgery. Requests without an Origin header pass (non-browser MCP clients do not send one); a present value that is not allowed, or that cannot be parsed, is rejected with 403.
Parameters
allowedOriginHostnames
string[]
List of allowed origin hostnames (without scheme or port). For IPv6, provide the address with brackets (e.g., [::1]).
Returns
RequestHandler
Express middleware function
Example
app.use(originValidation(['localhost', '127.0.0.1', '[::1]']));