This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/fastify / fastify

fastify

Interfaces

CreateMcpFastifyAppOptions

Defined in: fastify.ts:10

Options for creating an MCP Fastify application.

Properties

allowedHosts?

optional allowedHosts?: string[]

Defined in: fastify.ts:25

List of allowed hostnames for DNS rebinding protection. If provided, host header validation will be applied using this list. For IPv6, provide addresses with brackets (e.g., '[::1]').

This is useful when binding to '0.0.0.0' or '::' but still wanting to restrict which hostnames are allowed.

allowedOrigins?

optional allowedOrigins?: string[]

Defined in: fastify.ts:37

List of allowed origin hostnames for Origin header validation. If provided, Origin validation will be applied using this list (port-agnostic, hostnames only — the same convention as allowedHosts).

When omitted, Origin validation is automatically enabled for localhost-class binds (the same condition as host validation): requests without an Origin header pass, while a present Origin whose hostname is not localhost-class is rejected with 403.

host?

optional host?: string

Defined in: fastify.ts:15

The hostname to bind to. Defaults to '127.0.0.1'. When set to '127.0.0.1', 'localhost', or '::1', DNS rebinding protection is automatically enabled.

Functions

createMcpFastifyApp()

createMcpFastifyApp(options?): FastifyInstance

Defined in: fastify.ts:69

Creates a Fastify application pre-configured for MCP servers.

When the host is '127.0.0.1', 'localhost', or '::1' (the default is '127.0.0.1'), DNS rebinding protection is automatically applied via an onRequest hook to protect against DNS rebinding attacks on localhost servers.

Fastify parses JSON request bodies by default, so no additional middleware is required for MCP Streamable HTTP endpoints.

Parameters

options?

CreateMcpFastifyAppOptions = {}

Configuration options

Returns

FastifyInstance

A configured Fastify application

Examples

Basic usage - defaults to 127.0.0.1 with DNS rebinding protection

ts
const app = createMcpFastifyApp();

Custom host - DNS rebinding protection only applied for localhost hosts

ts
const appOpen = createMcpFastifyApp({ host: '0.0.0.0' }); // No automatic DNS rebinding protection
const appLocal = createMcpFastifyApp({ host: 'localhost' }); // DNS rebinding protection enabled

Custom allowed hosts for non-localhost binding

ts
const app = createMcpFastifyApp({ host: '0.0.0.0', allowedHosts: ['myapp.local', 'localhost'] });