Clarify HTTP 403 status for invalid Origin headers (modelcontextprotocol#1439)

* Clarify HTTP 403 status for invalid Origin headers

Add explicit guidance that servers MUST respond with HTTP 403 Forbidden
when the Origin header is present but invalid. This addresses part of
issue modelcontextprotocol#1398 regarding inconsistent error responses across SDKs.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Apply Prettier formatting

* Add changelog entry

---------

Co-authored-by: Claude <[email protected]>

Author: pja-ant

docs/specification/draft/basic/transports.mdx

@@ -76,6 +76,8 @@ URL like `https://example.com/mcp`.
 When implementing Streamable HTTP transport:
 
 1. Servers **MUST** validate the `Origin` header on all incoming connections to prevent DNS rebinding attacks
+   - If the `Origin` header is present and invalid, servers **MUST** respond with HTTP 403 Forbidden. The HTTP response
+     body **MAY** comprise a JSON-RPC _error response_ that has no `id`
 2. When running locally, servers **SHOULD** bind only to localhost (127.0.0.1) rather than all network interfaces (0.0.0.0)
 3. Servers **SHOULD** implement proper authentication for all connections
 

docs/specification/draft/changelog.mdx

@@ -12,6 +12,10 @@ the previous revision, [2025-06-18](/specification/2025-06-18).
 1. Enhance authorization server discovery with support for [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html). (PR [#797](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/797))
 2. Allow servers to expose icons as additional metadata for tools, resources and prompts ([SEP-973](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/973)).
 
+## Minor changes
+
+1. Clarify that servers must respond with HTTP 403 Forbidden for invalid Origin headers in Streamable HTTP transport. (PR [#1439](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/1439))
+
 ## Other schema changes
 
 ## Full changelog