Merge pull request modelcontextprotocol#289 from modelcontextprotocol/justin/dns-rebinding

jspahrsummers · web-flow · commit c5fd208debfd · 2025-04-08T15:37:59.000+01:00
Warn about DNS rebinding attacks
diff --git a/docs/docs/concepts/transports.mdx b/docs/docs/concepts/transports.mdx
@@ -123,6 +123,16 @@ Use SSE when:
 - Working with restricted networks
 - Implementing simple updates
 
+#### Security Warning: DNS Rebinding Attacks
+
+SSE transports can be vulnerable to DNS rebinding attacks if not properly secured. To prevent this:
+
+1. **Always validate Origin headers** on incoming SSE connections to ensure they come from expected sources
+2. **Avoid binding servers to all network interfaces** (0.0.0.0) when running locally - bind only to localhost (127.0.0.1) instead
+3. **Implement proper authentication** for all SSE connections
+
+Without these protections, attackers could use DNS rebinding to interact with local MCP servers from remote websites.
+
 <Tabs>
   <Tab title="TypeScript (Server)">
     ```typescript
@@ -381,6 +391,8 @@ When implementing transport:
 - Handle denial of service scenarios
 - Monitor for unusual patterns
 - Implement proper firewall rules
+- For SSE transports, validate Origin headers to prevent DNS rebinding attacks
+- For local SSE servers, bind only to localhost (127.0.0.1) instead of all interfaces (0.0.0.0)
 
 ## Debugging Transport
 
diff --git a/docs/specification/2024-11-05/basic/transports.mdx b/docs/specification/2024-11-05/basic/transports.mdx
@@ -50,6 +50,16 @@ sequenceDiagram
 In the **SSE** transport, the server operates as an independent process that can handle
 multiple client connections.
 
+#### Security Warning
+
+When implementing HTTP with SSE transport:
+
+1. Servers **MUST** validate the `Origin` header on all incoming connections to prevent DNS rebinding attacks
+2. When running locally, servers **SHOULD** bind only to localhost (127.0.0.1) rather than all network interfaces (0.0.0.0)
+3. Servers **SHOULD** implement proper authentication for all connections
+
+Without these protections, attackers could use DNS rebinding to interact with local MCP servers from remote websites.
+
 The server **MUST** provide two endpoints:
 
 1. An SSE endpoint, for clients to establish a connection and receive messages from the
diff --git a/docs/specification/2025-03-26/basic/transports.mdx b/docs/specification/2025-03-26/basic/transports.mdx
@@ -67,6 +67,16 @@ The server **MUST** provide a single HTTP endpoint path (hereafter referred to a
 **MCP endpoint**) that supports both POST and GET methods. For example, this could be a
 URL like `https://example.com/mcp`.
 
+#### Security Warning
+
+When implementing Streamable HTTP transport:
+
+1. Servers **MUST** validate the `Origin` header on all incoming connections to prevent DNS rebinding attacks
+2. When running locally, servers **SHOULD** bind only to localhost (127.0.0.1) rather than all network interfaces (0.0.0.0)
+3. Servers **SHOULD** implement proper authentication for all connections
+
+Without these protections, attackers could use DNS rebinding to interact with local MCP servers from remote websites.
+
 ### Sending Messages to the Server
 
 Every JSON-RPC message sent from the client **MUST** be a new HTTP POST request to the
