MCP TypeScript SDK (V2) / @modelcontextprotocol/fastify / middleware/hostHeaderValidation
middleware/hostHeaderValidation
Functions
hostHeaderValidation()
hostHeaderValidation(
allowedHostnames): (request,reply) =>Promise<void>
Defined in: middleware/hostHeaderValidation.ts:22
Fastify onRequest hook for DNS rebinding protection. Validates Host header hostname (port-agnostic) against an allowed list.
This is particularly important for servers without authorization or HTTPS, such as localhost servers or development servers. DNS rebinding attacks can bypass same-origin policy by manipulating DNS to point a domain to a localhost address, allowing malicious websites to access your local server.
Parameters
allowedHostnames
string[]
List of allowed hostnames (without ports). For IPv6, provide the address with brackets (e.g., [::1]).
Returns
Fastify onRequest hook handler
(request, reply) => Promise<void>
Example
app.addHook('onRequest', hostHeaderValidation(['localhost', '127.0.0.1', '[::1]']));localhostHostValidation()
localhostHostValidation(): (
request,reply) =>Promise<void>
Defined in: middleware/hostHeaderValidation.ts:47
Convenience hook for localhost DNS rebinding protection. Allows only localhost, 127.0.0.1, and [::1] (IPv6 localhost) hostnames.
Returns
(request, reply) => Promise<void>
Example
app.addHook('onRequest', localhostHostValidation());