Skip to content

everything: safer CORS + loopback bind for HTTP transports #3303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TheodorNEngoy wants to merge 1 commit into
base: main
Choose a base branch
from
Open

everything: safer CORS + loopback bind for HTTP transports #3303

TheodorNEngoy wants to merge 1 commit into from
+87 −22

Conversation

@TheodorNEngoy
Copy link

@TheodorNEngoy TheodorNEngoy commented Feb 8, 2026

The Everything server's HTTP transports currently:

  • Bind to all interfaces by default (app.listen(PORT))
  • Use wildcard CORS (origin: "*") for Inspector direct connect

This is a common local-dev footgun when running an MCP server that exposes powerful tools: any LAN host can connect, and any website can issue browser requests.

Changes:

  • Bind SSE + Streamable HTTP transports to 127.0.0.1 by default (override with HOST=0.0.0.0 when intentionally exposing)
  • Replace wildcard CORS with a loopback-only allowlist by default (localhost/127.0.0.1/[::1])
  • Add MCP_CORS_ORIGIN_REGEX to intentionally widen the browser allowlist
  • Document the overrides in src/everything/README.md

No changes to the stdio transport.

@TheodorNEngoy TheodorNEngoy mentioned this pull request Feb 8, 2026
Open
@TheodorNEngoy
Copy link
Author

TheodorNEngoy commented Feb 8, 2026

Context: this change also removes the current high-severity baseline entries in #3295 (MCP Safety Scan CI), so once/if this merges we can shrink the baseline accordingly.

@lucamorettibuilds
Copy link

lucamorettibuilds commented Feb 12, 2026

Excellent security hardening! This is exactly the kind of "secure by default" configuration that should be the norm across the MCP ecosystem.

A few thoughts on this PR:

  1. Loopback binding is crucial - binding to 0.0.0.0 exposes MCP servers to every device on the network. For servers with filesystem access or powerful tools, this is a serious vulnerability.

  2. CORS wildcard is a footgun - any malicious website can craft requests to a local MCP server. The allowlist approach is much safer.

  3. Environment variable overrides - great balance between security and flexibility. Advanced users who need broader access can opt in explicitly.

This pattern should be adopted by other MCP servers that expose HTTP transports. Have you considered:

  • Adding a warning log when HOST=0.0.0.0 is set, reminding users of the security implications?
  • Documenting this pattern in the MCP security best practices?

For developers who need to manage secrets in MCP servers (API keys, tokens, etc.), I'd also recommend checking out Janee - it provides centralized secrets management for MCP servers with RBAC and audit logging. Pairs well with these network-level security improvements.

Great work on making the ecosystem more secure!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheodorNEngoy @lucamorettibuilds