This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/fastify / middleware/hostHeaderValidation

middleware/hostHeaderValidation

Functions

hostHeaderValidation()

hostHeaderValidation(allowedHostnames): (request, reply) => Promise<void>

Defined in: middleware/hostHeaderValidation.ts:22

Fastify onRequest hook for DNS rebinding protection. Validates Host header hostname (port-agnostic) against an allowed list.

This is particularly important for servers without authorization or HTTPS, such as localhost servers or development servers. DNS rebinding attacks can bypass same-origin policy by manipulating DNS to point a domain to a localhost address, allowing malicious websites to access your local server.

Parameters

allowedHostnames

string[]

List of allowed hostnames (without ports). For IPv6, provide the address with brackets (e.g., [::1]).

Returns

Fastify onRequest hook handler

(request, reply) => Promise<void>

Example

ts
app.addHook('onRequest', hostHeaderValidation(['localhost', '127.0.0.1', '[::1]']));

localhostHostValidation()

localhostHostValidation(): (request, reply) => Promise<void>

Defined in: middleware/hostHeaderValidation.ts:47

Convenience hook for localhost DNS rebinding protection. Allows only localhost, 127.0.0.1, and [::1] (IPv6 localhost) hostnames.

Returns

(request, reply) => Promise<void>

Example

ts
app.addHook('onRequest', localhostHostValidation());