MCP TypeScript SDK (V2) / @modelcontextprotocol/fastify / fastify
fastify
Interfaces
CreateMcpFastifyAppOptions
Defined in: fastify.ts:10
Options for creating an MCP Fastify application.
Properties
allowedHosts?
optionalallowedHosts?:string[]
Defined in: fastify.ts:25
List of allowed hostnames for DNS rebinding protection. If provided, host header validation will be applied using this list. For IPv6, provide addresses with brackets (e.g., '[::1]').
This is useful when binding to '0.0.0.0' or '::' but still wanting to restrict which hostnames are allowed.
allowedOrigins?
optionalallowedOrigins?:string[]
Defined in: fastify.ts:37
List of allowed origin hostnames for Origin header validation. If provided, Origin validation will be applied using this list (port-agnostic, hostnames only — the same convention as allowedHosts).
When omitted, Origin validation is automatically enabled for localhost-class binds (the same condition as host validation): requests without an Origin header pass, while a present Origin whose hostname is not localhost-class is rejected with 403.
host?
optionalhost?:string
Defined in: fastify.ts:15
The hostname to bind to. Defaults to '127.0.0.1'. When set to '127.0.0.1', 'localhost', or '::1', DNS rebinding protection is automatically enabled.
Functions
createMcpFastifyApp()
createMcpFastifyApp(
options?):FastifyInstance
Defined in: fastify.ts:69
Creates a Fastify application pre-configured for MCP servers.
When the host is '127.0.0.1', 'localhost', or '::1' (the default is '127.0.0.1'), DNS rebinding protection is automatically applied via an onRequest hook to protect against DNS rebinding attacks on localhost servers.
Fastify parses JSON request bodies by default, so no additional middleware is required for MCP Streamable HTTP endpoints.
Parameters
options?
CreateMcpFastifyAppOptions = {}
Configuration options
Returns
FastifyInstance
A configured Fastify application
Examples
Basic usage - defaults to 127.0.0.1 with DNS rebinding protection
const app = createMcpFastifyApp();Custom host - DNS rebinding protection only applied for localhost hosts
const appOpen = createMcpFastifyApp({ host: '0.0.0.0' }); // No automatic DNS rebinding protection
const appLocal = createMcpFastifyApp({ host: 'localhost' }); // DNS rebinding protection enabledCustom allowed hosts for non-localhost binding
const app = createMcpFastifyApp({ host: '0.0.0.0', allowedHosts: ['myapp.local', 'localhost'] });