feat: add the MDN link for CORS with credentials

DaleSeo · DaleSeo · commit 2a0595c1ed05 · 2025-09-23T16:18:17.000-04:00
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -1,75 +1,86 @@
 {
-    "version": "0.2.0",
-    "configurations": [
-        {
-            "type": "node",
-            "request": "launch",
-            "name": "Run apollo-mcp-server [Weather][Streamable HTTP]",
-            "runtimeExecutable": "cargo",
-            "runtimeArgs": [
-                "run",
-                "--bin",
-                "apollo-mcp-server",
-                "--",
-                "graphql/weather/config.yaml",
-            ],
-            "cwd": "${workspaceFolder}",
-            "console": "integratedTerminal",
-            "env": {
-                "RUST_BACKTRACE": "1"
-            }
-        },
-        {
-            "type": "lldb",
-            "request": "launch",
-            "name": "Debug apollo-mcp-server [Weather][Streamable HTTP]",
-            "cargo": {
-                "args": [
-                    "build",
-                    "--bin=apollo-mcp-server",
-                    "--lib"
-                ],
-                "filter": {
-                    "name": "apollo-mcp-server",
-                    "kind": "bin"
-                }
-            },
-            "args": [
-                "graphql/weather/config.yaml",
-            ],
-            "cwd": "${workspaceFolder}",
-            "env": {
-                "RUST_BACKTRACE": "1"
-            }
-        },
-        {
-            "type": "node",
-            "request": "launch",
-            "name": "Run apollo-mcp-server [TheSpaceDevs][Streamable HTTP]",
-            "runtimeExecutable": "cargo",
-            "runtimeArgs": [
-                "run",
-                "--bin",
-                "apollo-mcp-server",
-                "--",
-                "graphql/TheSpaceDevs/config.yaml",
-            ],
-            "cwd": "${workspaceFolder}",
-            "console": "integratedTerminal",
-            "env": {
-                "RUST_BACKTRACE": "1"
-            }
-        },
-        {
-            "type": "node",
-            "request": "launch",
-            "name": "Run mcp-inspector",
-            "runtimeExecutable": "npx",
-            "runtimeArgs": [
-                "@modelcontextprotocol/inspector"
-            ],
-            "cwd": "${workspaceFolder}",
-            "console": "integratedTerminal"
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "Run apollo-mcp-server [Weather][Streamable HTTP]",
+      "runtimeExecutable": "cargo",
+      "runtimeArgs": [
+        "run",
+        "--bin",
+        "apollo-mcp-server",
+        "--",
+        "graphql/weather/config.yaml"
+      ],
+      "cwd": "${workspaceFolder}",
+      "console": "integratedTerminal",
+      "env": {
+        "RUST_BACKTRACE": "1"
+      }
+    },
+    {
+      "type": "lldb",
+      "request": "launch",
+      "name": "Debug apollo-mcp-server [Weather][Streamable HTTP]",
+      "cargo": {
+        "args": ["build", "--bin=apollo-mcp-server", "--lib"],
+        "filter": {
+          "name": "apollo-mcp-server",
+          "kind": "bin"
         }
-    ]
-}
+      },
+      "args": ["graphql/weather/config.yaml"],
+      "cwd": "${workspaceFolder}",
+      "env": {
+        "RUST_BACKTRACE": "1",
+        "APOLLO_MCP_LOGGING__LEVEL": "debug"
+      }
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "Run apollo-mcp-server [TheSpaceDevs][Streamable HTTP]",
+      "runtimeExecutable": "cargo",
+      "runtimeArgs": [
+        "run",
+        "--bin",
+        "apollo-mcp-server",
+        "--",
+        "graphql/TheSpaceDevs/config.yaml"
+      ],
+      "cwd": "${workspaceFolder}",
+      "console": "integratedTerminal",
+      "env": {
+        "RUST_BACKTRACE": "1"
+      }
+    },
+    {
+      "type": "lldb",
+      "request": "launch",
+      "name": "Debug apollo-mcp-server [TheSpaceDevs][Streamable HTTP]",
+      "cargo": {
+        "args": ["build", "--bin=apollo-mcp-server", "--lib"],
+        "filter": {
+          "name": "apollo-mcp-server",
+          "kind": "bin"
+        }
+      },
+      "args": ["graphql/TheSpaceDevs/config.yaml"],
+      "cwd": "${workspaceFolder}",
+      "env": {
+        "RUST_BACKTRACE": "1",
+        "APOLLO_MCP_LOGGING__LEVEL": "debug"
+      }
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "Run mcp-inspector",
+      "runtimeExecutable": "npx",
+      "runtimeArgs": ["@modelcontextprotocol/inspector"],
+      "cwd": "${workspaceFolder}",
+      "console": "integratedTerminal"
+    }
+  ]
+}
diff --git a/crates/apollo-mcp-server/src/cors.rs b/crates/apollo-mcp-server/src/cors.rs
@@ -181,7 +181,7 @@ impl CorsConfig {
         // Cannot use credentials with any origin
         if self.allow_credentials && self.allow_any_origin {
             return Err(ServerError::Cors(
-                "Cannot use allow_credentials with allow_any_origin for security reasons"
+                "Cannot use allow_credentials with allow_any_origin for security reasons. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#requests_with_credentials"
                     .to_string(),
             ));
         }
diff --git a/docs/source/cors.mdx b/docs/source/cors.mdx
@@ -2,7 +2,7 @@
 title: Configuring CORS
 ---
 
-# Configuring CORS
+## Configuring CORS
 
 Control browser access to your MCP server
 
@@ -58,7 +58,7 @@ cors:
 
 If your MCP server serves exclusively _non_-browser-based clients, you probably don't need to enable CORS configuration.
 
-## Passing credentials
+### Passing credentials
 
 If your MCP server requires requests to include a user's credentials (e.g., via cookies), you need to modify your CORS configuration to tell the browser those credentials are allowed.
 
@@ -76,7 +76,7 @@ cors:
 
 **To support credentialed requests, your server's config file must specify individual `origins` or `match_origins`**. If your server enables `allow_any_origin`, your browser will refuse to send credentials.
 
-## All `cors` options
+### All `cors` options
 
 The following snippet shows all CORS configuration defaults for Apollo MCP Server:
 
@@ -134,11 +134,11 @@ cors:
   max_age: 7200 # 2 hours
 ```
 
-## Origin matching
+### Origin matching
 
 Apollo MCP Server supports two types of origin matching:
 
-### Exact origins
+#### Exact origins
 
 Use the `origins` array for exact origin matches:
 
@@ -150,7 +150,7 @@ cors:
     - https://myapp.example.com
 ```
 
-### Pattern matching
+#### Pattern matching
 
 Use the `match_origins` array for regex pattern matching:
 
@@ -163,9 +163,9 @@ cors:
     - "^https://.*\\.example\\.com$" # Any subdomain of example.com
 ```
 
-## Common configurations
+### Common configurations
 
-### Development setup
+#### Development setup
 
 For local development with hot reloading and various ports:
 
@@ -177,7 +177,7 @@ cors:
   allow_credentials: true
 ```
 
-### Production setup
+#### Production setup
 
 For production with specific known origins:
 
@@ -190,7 +190,7 @@ cors:
   max_age: 86400 # 24 hours
 ```
 
-### Public API setup
+#### Public API setup
 
 For public APIs that don't require credentials:
 
@@ -201,7 +201,7 @@ cors:
   allow_credentials: false # Cannot use credentials with any origin
 ```
 
-## Browser integration example
+### Browser integration example
 
 Here's a simple example of connecting to Apollo MCP Server from a browser:
 

Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,7 @@ impl CorsConfig {`
`181`	`181`	`// Cannot use credentials with any origin`
`182`	`182`	`if self.allow_credentials && self.allow_any_origin {`
`183`	`183`	`return Err(ServerError::Cors(`
`184`		`- "Cannot use allow_credentials with allow_any_origin for security reasons"`
	`184`	`+ "Cannot use allow_credentials with allow_any_origin for security reasons. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#requests_with_credentials"`
`185`	`185`	`.to_string(),`
`186`	`186`	`));`
`187`	`187`	`}`