From 1979e683dbd3ccd284f41a9c025998a7cabe6ada Mon Sep 17 00:00:00 2001
From: cliffhall <cliff@futurescale.com>
Date: Tue, 16 Sep 2025 15:55:53 -0400
Subject: [PATCH 1/7] * In src/everything/sse.ts   - import cors   - use cors
 with config allowing any origin + GET/POST * In
 src/everything/streamableHttp.ts   - import cors     - use cors with config
 allowing any origin + GET/POST/DELETE, and exposed protocol headers for
 client to read * In package.json and package-lock.json   - add cors as a
 dependency

---
 package-lock.json                |  1 +
 src/everything/package.json      |  1 +
 src/everything/sse.ts            |  8 +++++++-
 src/everything/streamableHttp.ts | 13 +++++++++++++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index 34ecd5d41b..9e3404e46b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5819,6 +5819,7 @@
       "license": "MIT",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.18.0",
+        "cors": "^2.8.5",
         "express": "^4.21.1",
         "zod": "^3.23.8",
         "zod-to-json-schema": "^3.23.5"
diff --git a/src/everything/package.json b/src/everything/package.json
index c0a240de49..891f613515 100644
--- a/src/everything/package.json
+++ b/src/everything/package.json
@@ -23,6 +23,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.18.0",
+	"cors": "^2.8.5",
     "express": "^4.21.1",
     "zod": "^3.23.8",
     "zod-to-json-schema": "^3.23.5"
diff --git a/src/everything/sse.ts b/src/everything/sse.ts
index f201341948..7f46f6a9af 100644
--- a/src/everything/sse.ts
+++ b/src/everything/sse.ts
@@ -1,11 +1,17 @@
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import express from "express";
 import { createServer } from "./everything.js";
+import cors from 'cors';
 
 console.error('Starting SSE server...');
 
 const app = express();
-
+app.use(cors({
+        "origin": "*",
+        "methods": "GET,POST",
+        "preflightContinue": false,
+        "optionsSuccessStatus": 204,
+    })); // Enable CORS for all routes
 const transports: Map<string, SSEServerTransport> = new Map<string, SSEServerTransport>();
 
 app.get("/sse", async (req, res) => {
diff --git a/src/everything/streamableHttp.ts b/src/everything/streamableHttp.ts
index c4fed73803..c5e7242e82 100644
--- a/src/everything/streamableHttp.ts
+++ b/src/everything/streamableHttp.ts
@@ -3,10 +3,22 @@ import { InMemoryEventStore } from '@modelcontextprotocol/sdk/examples/shared/in
 import express, { Request, Response } from "express";
 import { createServer } from "./everything.js";
 import { randomUUID } from 'node:crypto';
+import cors from 'cors';
 
 console.error('Starting Streamable HTTP server...');
 
 const app = express();
+app.use(cors({
+    "origin": "*",
+    "methods": "GET,POST,DELETE",
+    "preflightContinue": false,
+    "optionsSuccessStatus": 204,
+    "exposedHeaders": [
+        'mcp-session-id',
+        'last-event-id',
+        'mcp-protocol-version'
+    ]
+})); // Enable CORS for all routes
 
 const transports: Map<string, StreamableHTTPServerTransport> = new Map<string, StreamableHTTPServerTransport>();
 
@@ -15,6 +27,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
   try {
     // Check for existing session ID
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
+    console.log(`Session id: ${sessionId}`);
     let transport: StreamableHTTPServerTransport;
 
     if (sessionId && transports.has(sessionId)) {

From 921e2f7d994943dd7b0c9827b819799d103f2a20 Mon Sep 17 00:00:00 2001
From: cliffhall <cliff@futurescale.com>
Date: Tue, 16 Sep 2025 18:31:04 -0400
Subject: [PATCH 2/7] * In package.json and package-lock.json   - add
 @types/cors as dev dependency

---
 package-lock.json           | 11 +++++++++++
 src/everything/package.json |  3 ++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/package-lock.json b/package-lock.json
index 9e3404e46b..7a6e772c59 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1376,6 +1376,16 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/cors": {
+      "version": "2.8.19",
+      "resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.19.tgz",
+      "integrity": "sha512-mFNylyeyqN93lfe/9CSxOGREz8cpzAhH+E93xJ4xWQf62V8sQ/24reV2nyzUWM6H6Xji+GGHpkbLe7pVoUEskg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@types/diff": {
       "version": "5.2.3",
       "resolved": "https://registry.npmjs.org/@types/diff/-/diff-5.2.3.tgz",
@@ -5828,6 +5838,7 @@
         "mcp-server-everything": "dist/index.js"
       },
       "devDependencies": {
+        "@types/cors": "^2.8.19",
         "@types/express": "^5.0.0",
         "shx": "^0.3.4",
         "typescript": "^5.6.2"
diff --git a/src/everything/package.json b/src/everything/package.json
index 891f613515..e388922d1a 100644
--- a/src/everything/package.json
+++ b/src/everything/package.json
@@ -23,12 +23,13 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.18.0",
-	"cors": "^2.8.5",
+    "cors": "^2.8.5",
     "express": "^4.21.1",
     "zod": "^3.23.8",
     "zod-to-json-schema": "^3.23.5"
   },
   "devDependencies": {
+    "@types/cors": "^2.8.19",
     "@types/express": "^5.0.0",
     "shx": "^0.3.4",
     "typescript": "^5.6.2"

From 0ea3756791bc143105fcd0092e1f6545a70baa0e Mon Sep 17 00:00:00 2001
From: shaun smith <1936278+evalstate@users.noreply.github.com>
Date: Wed, 17 Sep 2025 17:18:50 +0100
Subject: [PATCH 3/7] Add caution note for CORS origin wildcard usage

Added caution note for using '*' in CORS origin.
---
 src/everything/streamableHttp.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/everything/streamableHttp.ts b/src/everything/streamableHttp.ts
index c5e7242e82..ef96bea2a4 100644
--- a/src/everything/streamableHttp.ts
+++ b/src/everything/streamableHttp.ts
@@ -9,7 +9,7 @@ console.error('Starting Streamable HTTP server...');
 
 const app = express();
 app.use(cors({
-    "origin": "*",
+    "origin": "*", // use "*" with caution in production
     "methods": "GET,POST,DELETE",
     "preflightContinue": false,
     "optionsSuccessStatus": 204,

From bf68938fb9977c15024c0769d2748e677ba22368 Mon Sep 17 00:00:00 2001
From: cliffhall <cliff@futurescale.com>
Date: Thu, 18 Sep 2025 16:07:00 -0400
Subject: [PATCH 4/7] * In streamableHttp.ts   - remove remove unintentional
 console log

---
 src/everything/streamableHttp.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/everything/streamableHttp.ts b/src/everything/streamableHttp.ts
index ef96bea2a4..5572497c63 100644
--- a/src/everything/streamableHttp.ts
+++ b/src/everything/streamableHttp.ts
@@ -27,7 +27,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
   try {
     // Check for existing session ID
     const sessionId = req.headers['mcp-session-id'] as string | undefined;
-    console.log(`Session id: ${sessionId}`);
+
     let transport: StreamableHTTPServerTransport;
 
     if (sessionId && transports.has(sessionId)) {

From 215e0e401c2ee70889f66ef002dfb16fb8a004b5 Mon Sep 17 00:00:00 2001
From: cliffhall <cliff@futurescale.com>
Date: Thu, 18 Sep 2025 16:14:15 -0400
Subject: [PATCH 5/7] * In streamableHttp.ts   - add comment about why opening
 cors for all routes

---
 src/everything/sse.ts            | 2 +-
 src/everything/streamableHttp.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/everything/sse.ts b/src/everything/sse.ts
index 7f46f6a9af..6338a2c99e 100644
--- a/src/everything/sse.ts
+++ b/src/everything/sse.ts
@@ -11,7 +11,7 @@ app.use(cors({
         "methods": "GET,POST",
         "preflightContinue": false,
         "optionsSuccessStatus": 204,
-    })); // Enable CORS for all routes
+    })); // Enable CORS for all routes so Inspector can connect
 const transports: Map<string, SSEServerTransport> = new Map<string, SSEServerTransport>();
 
 app.get("/sse", async (req, res) => {
diff --git a/src/everything/streamableHttp.ts b/src/everything/streamableHttp.ts
index 5572497c63..c5d0eeea65 100644
--- a/src/everything/streamableHttp.ts
+++ b/src/everything/streamableHttp.ts
@@ -18,7 +18,7 @@ app.use(cors({
         'last-event-id',
         'mcp-protocol-version'
     ]
-})); // Enable CORS for all routes
+})); // Enable CORS for all routes so Inspector can connect
 
 const transports: Map<string, StreamableHTTPServerTransport> = new Map<string, StreamableHTTPServerTransport>();
 

From 972bb437642adcc7c8adbb6b8b9a5abd9e3f69c7 Mon Sep 17 00:00:00 2001
From: cliffhall <cliff@futurescale.com>
Date: Thu, 18 Sep 2025 16:15:41 -0400
Subject: [PATCH 6/7] * In sse.ts   - add comment about using * with caution in
 production for cors

---
 src/everything/sse.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/everything/sse.ts b/src/everything/sse.ts
index 6338a2c99e..8bcba44060 100644
--- a/src/everything/sse.ts
+++ b/src/everything/sse.ts
@@ -7,7 +7,7 @@ console.error('Starting SSE server...');
 
 const app = express();
 app.use(cors({
-        "origin": "*",
+        "origin": "*", // use "*" with caution in production
         "methods": "GET,POST",
         "preflightContinue": false,
         "optionsSuccessStatus": 204,

From 635db365deb8ee9d31455799c9317bf5c46c50cb Mon Sep 17 00:00:00 2001
From: cliffhall <cliff@futurescale.com>
Date: Thu, 18 Sep 2025 16:16:48 -0400
Subject: [PATCH 7/7] * In sse.ts   - indent on cors config

---
 src/everything/sse.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/everything/sse.ts b/src/everything/sse.ts
index 8bcba44060..f5b984e9b1 100644
--- a/src/everything/sse.ts
+++ b/src/everything/sse.ts
@@ -7,11 +7,11 @@ console.error('Starting SSE server...');
 
 const app = express();
 app.use(cors({
-        "origin": "*", // use "*" with caution in production
-        "methods": "GET,POST",
-        "preflightContinue": false,
-        "optionsSuccessStatus": 204,
-    })); // Enable CORS for all routes so Inspector can connect
+    "origin": "*", // use "*" with caution in production
+    "methods": "GET,POST",
+    "preflightContinue": false,
+    "optionsSuccessStatus": 204,
+})); // Enable CORS for all routes so Inspector can connect
 const transports: Map<string, SSEServerTransport> = new Map<string, SSEServerTransport>();
 
 app.get("/sse", async (req, res) => {