UNPKG

@modelcontextprotocol/sdk

Version:

Model Context Protocol implementation for TypeScript

modelcontextprotocol.io

modelcontextprotocol/typescript-sdk

50 lines 2.19 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import express from 'express'; import { hostHeaderValidation, localhostHostValidation } from './middleware/hostHeaderValidation.js'; /** * Creates an Express application pre-configured for MCP servers. * * When the host is '127.0.0.1', 'localhost', or '::1' (the default is '127.0.0.1'), * DNS rebinding protection middleware is automatically applied to protect against * DNS rebinding attacks on localhost servers. * * @param options - Configuration options * @returns A configured Express application * * @example * ```typescript * // Basic usage - defaults to 127.0.0.1 with DNS rebinding protection * const app = createMcpExpressApp(); * * // Custom host - DNS rebinding protection only applied for localhost hosts * const app = createMcpExpressApp({ host: '0.0.0.0' }); // No automatic DNS rebinding protection * const app = createMcpExpressApp({ host: 'localhost' }); // DNS rebinding protection enabled * * // Custom allowed hosts for non-localhost binding * const app = createMcpExpressApp({ host: '0.0.0.0', allowedHosts: ['myapp.local', 'localhost'] }); * ``` */ export function createMcpExpressApp(options = {}) { const { host = '127.0.0.1', allowedHosts } = options; const app = express(); app.use(express.json()); // If allowedHosts is explicitly provided, use that for validation if (allowedHosts) { app.use(hostHeaderValidation(allowedHosts)); } else { // Apply DNS rebinding protection automatically for localhost hosts const localhostHosts = ['127.0.0.1', 'localhost', '::1']; if (localhostHosts.includes(host)) { app.use(localhostHostValidation()); } else if (host === '0.0.0.0' || host === '::') { // Warn when binding to all interfaces without DNS rebinding protection // eslint-disable-next-line no-console console.warn(`Warning: Server is binding to ${host} without DNS rebinding protection. ` + 'Consider using the allowedHosts option to restrict allowed hosts, ' + 'or use authentication to protect your server.'); } } return app; } //# sourceMappingURL=express.js.map