chore: warn about insecure httpHost usage

Author: blva

src/common/logger.ts

@@ -56,6 +56,7 @@ export const LogId = {
     streamableHttpTransportCloseFailure: mongoLogId(1_006_006),
     streamableHttpTransportKeepAliveFailure: mongoLogId(1_006_007),
     streamableHttpTransportKeepAlive: mongoLogId(1_006_008),
+    streamableHttpTransportHttpHostWarning: mongoLogId(1_006_009),
 
     exportCleanupError: mongoLogId(1_007_001),
     exportCreationError: mongoLogId(1_007_002),

src/transports/streamableHttp.ts

@@ -205,6 +205,17 @@ export class StreamableHttpRunner extends TransportRunnerBase {
             message: `Server started on ${this.serverAddress}`,
             noRedaction: true,
         });
+
+        if (this.userConfig.httpHost === "0.0.0.0") {
+            this.logger.warning({
+                id: LogId.streamableHttpTransportHttpHostWarning,
+                context: "streamableHttpTransport",
+                message: `Binding to \`0.0.0.0\` exposes the MCP Server to the entire local
+   network, which allows other devices on the same network to
+   potentially access the MCP Server. This is a security risk and could
+   allow unauthorized access to your database context. `,
+            });
+        }
     }
 
     async closeTransport(): Promise<void> {