fix: Control default deny list via an env var (#5862)

christopherholland-workday · web-flow · commit 219b040065d1 · 2026-03-02T14:44:34.000-08:00
* Control default deny list via an env var

* fix: Control default deny list via an env var

---------
diff --git a/docker/.env.example b/docker/.env.example
@@ -183,6 +183,7 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 ############################################################################################################
 
 # HTTP_DENY_LIST=
+# HTTP_SECURITY_CHECK=true
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
 # TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)
diff --git a/docker/docker-compose-queue-prebuilt.yml b/docker/docker-compose-queue-prebuilt.yml
@@ -147,6 +147,7 @@ services:
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
+            - HTTP_SECURITY_CHECK=${HTTP_SECURITY_CHECK}
             - TRUST_PROXY=${TRUST_PROXY}
         healthcheck:
             test: ['CMD', 'curl', '-f', 'http://localhost:${PORT:-3000}/api/v1/ping']
@@ -293,6 +294,7 @@ services:
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
+            - HTTP_SECURITY_CHECK=${HTTP_SECURITY_CHECK}
             - TRUST_PROXY=${TRUST_PROXY}
         healthcheck:
             test: ['CMD', 'curl', '-f', 'http://localhost:${WORKER_PORT:-5566}/healthz']
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -132,6 +132,7 @@ services:
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
+            - HTTP_SECURITY_CHECK=${HTTP_SECURITY_CHECK}
             - TRUST_PROXY=${TRUST_PROXY}
         ports:
             - '${PORT}:${PORT}'
diff --git a/docker/worker/.env.example b/docker/worker/.env.example
@@ -183,6 +183,7 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 ############################################################################################################
 
 # HTTP_DENY_LIST=
+# HTTP_SECURITY_CHECK=true
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
 # TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)
diff --git a/docker/worker/docker-compose.yml b/docker/worker/docker-compose.yml
@@ -132,6 +132,7 @@ services:
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
+            - HTTP_SECURITY_CHECK=${HTTP_SECURITY_CHECK}
             - TRUST_PROXY=${TRUST_PROXY}
         ports:
             - '${WORKER_PORT}:${WORKER_PORT}'
diff --git a/packages/components/src/httpSecurity.ts b/packages/components/src/httpSecurity.ts
@@ -27,19 +27,25 @@ const DEFAULT_DENY_LIST = [
 ]
 
 /**
- * Gets the HTTP deny list, always including default protections plus any custom entries
- * @returns Array of denied IP addresses/CIDR ranges (always includes DEFAULT_DENY_LIST)
+ * Gets the HTTP deny list.
+ * When HTTP_SECURITY_CHECK=false, the default deny list is omitted and only
+ * HTTP_DENY_LIST entries are used. Defaults to true (secure).
+ * @returns Array of denied IP addresses, hostnames, or CIDR ranges
  */
 function getHttpDenyList(): string[] {
+    const securityCheckEnabled = process.env.HTTP_SECURITY_CHECK !== 'false'
     const httpDenyListString = process.env.HTTP_DENY_LIST
-    if (httpDenyListString) {
-        const customList = httpDenyListString
-            .split(',')
-            .map((s) => s.trim())
-            .filter(Boolean)
+    const customList = httpDenyListString
+        ? httpDenyListString
+              .split(',')
+              .map((s) => s.trim())
+              .filter(Boolean)
+        : []
+
+    if (securityCheckEnabled) {
         return [...new Set([...DEFAULT_DENY_LIST, ...customList])]
     }
-    return DEFAULT_DENY_LIST
+    return customList
 }
 
 /**
diff --git a/packages/server/.env.example b/packages/server/.env.example
@@ -183,6 +183,7 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 ############################################################################################################
 
 # HTTP_DENY_LIST=
+# HTTP_SECURITY_CHECK=true
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
 # TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)
diff --git a/packages/server/src/commands/base.ts b/packages/server/src/commands/base.ts
@@ -101,6 +101,7 @@ export abstract class BaseCommand extends Command {
         CUSTOM_MCP_SECURITY_CHECK: Flags.string(),
         CUSTOM_MCP_PROTOCOL: Flags.string(),
         HTTP_DENY_LIST: Flags.string(),
+        HTTP_SECURITY_CHECK: Flags.string(),
         TRUST_PROXY: Flags.string(),
 
         // Auth
