MCP TypeScript SDK (V2) / @modelcontextprotocol/node / middleware/originValidation
middleware/originValidation
Functions
localhostOriginValidation()
localhostOriginValidation(): (
req,res) =>boolean
Defined in: packages/middleware/node/src/middleware/originValidation.ts:52
Convenience guard for localhost Origin validation. Allows only origins whose hostname is localhost, 127.0.0.1, or [::1] (IPv6 localhost).
Returns
(req, res) => boolean
originValidation()
originValidation(
allowedOriginHostnames): (req,res) =>boolean
Defined in: packages/middleware/node/src/middleware/originValidation.ts:27
Node.js request guard for Origin header validation. Validates the Origin header hostname (port-agnostic) against an allowed list.
Requests without an Origin header pass (non-browser MCP clients do not send one); a present value that is not allowed, or that cannot be parsed, is rejected with 403. The guard returns whether the request may proceed: when it returns false it has already answered the request and the caller must not handle it further.
Parameters
allowedOriginHostnames
string[]
List of allowed origin hostnames (without scheme or port). For IPv6, provide the address with brackets (e.g., [::1]).
Returns
(req, res) => boolean
Example
const validateOrigin = originValidation(['localhost', '127.0.0.1', '[::1]']);
http.createServer((req, res) => {
if (!validateOrigin(req, res)) return;
void transport.handleRequest(req, res);
});