MCP TypeScript SDK (V2) / @modelcontextprotocol/fastify / middleware/originValidation
middleware/originValidation
Functions
localhostOriginValidation()
localhostOriginValidation(): (
request,reply) =>Promise<void>
Defined in: middleware/originValidation.ts:48
Convenience hook for localhost Origin validation. Allows only origins whose hostname is localhost, 127.0.0.1, or [::1] (IPv6 localhost).
Returns
(request, reply) => Promise<void>
Example
app.addHook('onRequest', localhostOriginValidation());originValidation()
originValidation(
allowedOriginHostnames): (request,reply) =>Promise<void>
Defined in: middleware/originValidation.ts:23
Fastify onRequest hook for Origin header validation. Validates the Origin header hostname (port-agnostic) against an allowed list.
Browsers attach an Origin header to cross-origin requests; validating it — alongside Host header validation — protects localhost and development servers against DNS rebinding and cross-site request forgery. Requests without an Origin header pass (non-browser MCP clients do not send one); a present value that is not allowed, or that cannot be parsed, is rejected with 403.
Parameters
allowedOriginHostnames
string[]
List of allowed origin hostnames (without scheme or port). For IPv6, provide the address with brackets (e.g., [::1]).
Returns
Fastify onRequest hook handler
(request, reply) => Promise<void>
Example
app.addHook('onRequest', originValidation(['localhost', '127.0.0.1', '[::1]']));