missing origin header in requests

[symdeb]

Describe the bug
no origin header in request

To Reproduce
Send connect request using inspector

Expected behavior
an origin header in the request

Logs

Request Received at 2025-06-30T04:53:43+00:00

method:POST
headers:
host:localhost
connection:keep-alive
accept:application/json, text/event-stream
authorization:Bearer 123456
content-type:application/json
accept-language:*
sec-fetch-mode:cors
user-agent:node
accept-encoding:gzip, deflate
content-length:205
URL: /api/mcp/mcp
Query:
Query Parameters:
contents:

Additional context
MCP spec: Servers MUST validate the Origin header on all incoming connections to prevent DNS rebinding attacks
Linux Apache PHP server

[jexp]

I have something similar when trying to run MCP inspector on codespaces.

There you need to foward both ports (proxy and webapp).

MCP_PROXY_FULL_ADDRESS=https://legendary-tribble-jj5xgvp6vf97p-8000.app.gith
ub.dev/ DANGEROUSLY_OMIT_AUTH=true CLIENT_PORT=8080 SERVER_PORT=8000 npx @modelcontextprotocol/inspector uv run --directory /workspaces/adk-mcp-test/letter-counter-mcp server.py

• 8000 is the proxy address
• 8080 is the webapp
• both are forwarded by codespaces

But it still fails with an CORS preflight issue (see screenshot)

[kbumsik]

Guys I found the solution. Use ALLOWED_ORIGINS env: https://github.com/modelcontextprotocol/inspector?tab=readme-ov-file#dns-rebinding-protection

[andrewdmontgomery]

I'm seeing this, too. I have an MCP Server implemented in the TypeScript SDK. When I create the transport, I use code much like this official example:

const transport = new StreamableHTTPServerTransport({
  sessionIdGenerator: () => randomUUID(),
  enableDnsRebindingProtection: true,

  allowedHosts: ['127.0.0.1', ...],
  allowedOrigins: ['https://yourdomain.com', 'https://www.yourdomain.com']
});

If I set enableDnsRebindingProtection: true, and then use MCP Inspector to connect to a local running instance via Streamable HTTP, I get this error in the MCP Inspector terminal session:

Error from MCP server: Error: Error POSTing to endpoint (HTTP 403): {"jsonrpc":"2.0","error":{"code":-32000,"message":"Invalid Origin header: undefined"},"id":null}
    at StreamableHTTPClientTransport.send (file:///Users/johnappleseed/.npm/_npx/9eac9498388ae25e/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js:284:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)

Specifically (formatted):

{
    "jsonrpc": "2.0",
    "error": {
        "code": -32000,
        "message": "Invalid Origin header: undefined"
    },
    "id": null
}

This prevents me from enabling DNS Rebinding Protection when using MCP Inspector during development.

[andrewdmontgomery]

I think this might be related to #342

[JonathanHope]

I'm seeing this as well. I wrote an MCP server from TCP to learn the standard. I added origin verification because the spec calls for it: https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#security-warning. However I have that code commented out because the inspector doesn't seem to provide that header.

[sinedied]

The workaround for GH Codespaces or VS Code dev container is quite messy:

• You have to make the 6277 port public in the "ports" tab
• You have manually set the ALLOWED_ORIGINS to the GH port forwarding address
• You have to manually set the proxy adress
• You have to either use the omit auth flag or manually set the proxy session token

Any chance we could have a DANGEROUSLY_BYPASS_SECURITY=true flag to make it easier to test our local MCP servers?