MCP TypeScript SDK (V2) / @modelcontextprotocol/node / middleware/hostHeaderValidation
middleware/hostHeaderValidation
Functions
hostHeaderValidation()
hostHeaderValidation(
allowedHostnames): (req,res) =>boolean
Defined in: packages/middleware/node/src/middleware/hostHeaderValidation.ts:26
Node.js request guard for DNS rebinding protection. Validates the Host header hostname (port-agnostic) against an allowed list.
Unlike the framework adapters, plain node:http has no middleware chain, so the guard returns whether the request may proceed: when it returns false it has already answered the request with a 403 JSON-RPC error and the caller must not handle it further.
Parameters
allowedHostnames
string[]
List of allowed hostnames (without ports). For IPv6, provide the address with brackets (e.g., [::1]).
Returns
(req, res) => boolean
Example
const validateHost = hostHeaderValidation(['localhost', '127.0.0.1', '[::1]']);
http.createServer((req, res) => {
if (!validateHost(req, res)) return;
void transport.handleRequest(req, res);
});localhostHostValidation()
localhostHostValidation(): (
req,res) =>boolean
Defined in: packages/middleware/node/src/middleware/hostHeaderValidation.ts:51
Convenience guard for localhost DNS rebinding protection. Allows only localhost, 127.0.0.1, and [::1] (IPv6 localhost) hostnames.
Returns
(req, res) => boolean