This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/fastify / middleware/originValidation

middleware/originValidation

Functions

localhostOriginValidation()

localhostOriginValidation(): (request, reply) => Promise<void>

Defined in: middleware/originValidation.ts:48

Convenience hook for localhost Origin validation. Allows only origins whose hostname is localhost, 127.0.0.1, or [::1] (IPv6 localhost).

Returns

(request, reply) => Promise<void>

Example

ts
app.addHook('onRequest', localhostOriginValidation());

originValidation()

originValidation(allowedOriginHostnames): (request, reply) => Promise<void>

Defined in: middleware/originValidation.ts:23

Fastify onRequest hook for Origin header validation. Validates the Origin header hostname (port-agnostic) against an allowed list.

Browsers attach an Origin header to cross-origin requests; validating it — alongside Host header validation — protects localhost and development servers against DNS rebinding and cross-site request forgery. Requests without an Origin header pass (non-browser MCP clients do not send one); a present value that is not allowed, or that cannot be parsed, is rejected with 403.

Parameters

allowedOriginHostnames

string[]

List of allowed origin hostnames (without scheme or port). For IPv6, provide the address with brackets (e.g., [::1]).

Returns

Fastify onRequest hook handler

(request, reply) => Promise<void>

Example

ts
app.addHook('onRequest', originValidation(['localhost', '127.0.0.1', '[::1]']));