feat: Add transport security configuration with DNS rebinding protection#144
feat: Add transport security configuration with DNS rebinding protection#144DavidFHCh wants to merge 5 commits into
Conversation
- Add --disable-dns-rebinding-protection, --allowed-hosts, --allowed-origins CLI flags - Move transport security from module-level init to main() (after argparse) - Apply transport security only for SSE and streamable-http transports (not stdio) - Env vars (POSTGRES_MCP_*) override CLI flags when both are set - Add comprehensive test suite: 10 scenarios × 2 transports = 20 tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Align with the shorter MCP_* naming convention used in the original PR. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename MCP_DNS_REBINDING_PROTECTION to MCP_ENABLE_DNS_REBINDING_PROTECTION - Add monkeypatch fixture to clear MCP_* env vars in tests - Remove coupling to FastMCP upstream defaults in test_default_defers_to_fastmcp - Update README with CLI flags documentation table Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use MCP_ENABLE_DNS_REBINDING_PROTECTION env var name (matching upstream) - Add monkeypatch env cleanup in tests to prevent flakiness - Remove coupling to FastMCP upstream defaults in tests - Update README with CLI flags + env vars documentation table Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…hancements feat: add CLI flags and tests for transport security
|
+1 — would love to see this land. We hit the same DNS-rebinding 421 wiring postgres-mcp 0.3.0 (rebuilt from main HEAD Two CLI flags you've added ( Issue #145 reports the same gotcha for a docker compose deployment. Common pattern: any non-localhost host binding triggers this. While waiting for #144 to land, we vendored a minimal hotfix in our fork as a stopgap (drops |
3 participants
No description provided.