Update conformance tests with DNS rebinding protection

Kehrlann · Kehrlann · commit 68ed7955b9c2 · 2026-02-04T21:20:15.000+01:00
Signed-off-by: Daniel Garnier-Moiroux &lt;git@garnier.wf&gt;
diff --git a/conformance-tests/VALIDATION_RESULTS.md b/conformance-tests/VALIDATION_RESULTS.md
@@ -15,13 +15,12 @@
 - **Resources (4/6):** list, read-text, read-binary, templates-read
 - **Prompts (4/4):** list, simple, with-args, embedded-resource, with-image
 - **SSE Transport (2/2):** Multiple streams
-- **Security (1/2):** Localhost validation passes
+- **Security (2/2):** Localhost validation passes, DNS rebinding protection
 
 ### Failing (3/40)
 
 1. **resources-subscribe** - Not implemented in SDK
 2. **resources-unsubscribe** - Not implemented in SDK  
-3. **dns-rebinding-protection** - Missing Host/Origin validation (1/2 checks)
 
 ## Client Test Results
 
@@ -44,7 +43,6 @@
 
 1. **Resource Subscriptions:** SDK doesn't implement `resources/subscribe` and `resources/unsubscribe` handlers
 2. **Client SSE Retry:** Client doesn't parse or respect the `retry:` field, reconnects immediately, and doesn't send Last-Event-ID header
-3. **DNS Rebinding Protection:** Missing Host/Origin header validation in server transport
 
 ## Running Tests
 
diff --git a/conformance-tests/conformance-baseline.yml b/conformance-tests/conformance-baseline.yml
@@ -6,9 +6,6 @@ server:
   # Resource subscription not implemented in SDK
   - resources-subscribe
   - resources-unsubscribe
-  
-  # DNS rebinding protection missing Host/Origin validation
-  - dns-rebinding-protection
 
 client:
   # SSE retry field handling not implemented
diff --git a/conformance-tests/server-servlet/README.md b/conformance-tests/server-servlet/README.md
@@ -32,8 +32,8 @@ The server has been validated against the official [MCP conformance test suite](
 ✅ **SSE Transport** (2/2)
 - Multiple streams support
 
-⚠️ **Security** (1/2)
-- ⚠️ DNS rebinding protection (SDK limitation)
+✅ **Security** (2/2)
+- ✅ DNS rebinding protection
 
 ## Features
 
diff --git a/conformance-tests/server-servlet/src/main/java/io/modelcontextprotocol/conformance/server/ConformanceServlet.java b/conformance-tests/server-servlet/src/main/java/io/modelcontextprotocol/conformance/server/ConformanceServlet.java
@@ -7,6 +7,7 @@
 
 import io.modelcontextprotocol.server.McpServer;
 import io.modelcontextprotocol.server.McpServerFeatures;
+import io.modelcontextprotocol.server.transport.DefaultServerTransportSecurityValidator;
 import io.modelcontextprotocol.server.transport.HttpServletStreamableServerTransportProvider;
 import io.modelcontextprotocol.spec.McpSchema.AudioContent;
 import io.modelcontextprotocol.spec.McpSchema.BlobResourceContents;
@@ -66,6 +67,8 @@ public static void main(String[] args) throws Exception {
 			.builder()
 			.mcpEndpoint(MCP_ENDPOINT)
 			.keepAliveInterval(Duration.ofSeconds(30))
+			.securityValidator(
+					DefaultServerTransportSecurityValidator.builder().allowedOrigin("http://localhost:*").build())
 			.build();
 
 		// Build server with all conformance test features
