docs: add CORS configuration documentation for HTTP transport

CodeWithKyrian · CodeWithKyrian · commit edbc2b1fa545 · 2025-10-26T23:49:20.000+01:00
diff --git a/docs/transports.md b/docs/transports.md
@@ -110,6 +110,7 @@ $transport = new StreamableHttpTransport(
 - **`request`** (required): `ServerRequestInterface` - The incoming PSR-7 HTTP request
 - **`responseFactory`** (optional): `ResponseFactoryInterface` - PSR-17 factory for creating HTTP responses. Auto-discovered if not provided.
 - **`streamFactory`** (optional): `StreamFactoryInterface` - PSR-17 factory for creating response body streams. Auto-discovered if not provided.
+- **`corsHeaders`** (optional): `array` - Custom CORS headers to override defaults. Merges with secure defaults. Defaults to `[]`.
 - **`logger`** (optional): `LoggerInterface` - PSR-3 logger for debugging. Defaults to `NullLogger`.
 
 ### PSR-17 Auto-Discovery
@@ -136,6 +137,48 @@ $psr17Factory = new Psr17Factory();
 $transport = new StreamableHttpTransport($request, $psr17Factory, $psr17Factory);
 ```
 
+### CORS Configuration
+
+The transport sets secure CORS defaults that can be customized or disabled:
+
+```php
+// Default CORS headers (backward compatible)
+$transport = new StreamableHttpTransport($request, $responseFactory, $streamFactory);
+
+// Restrict to specific origin
+$transport = new StreamableHttpTransport(
+    $request,
+    $responseFactory,
+    $streamFactory,
+    ['Access-Control-Allow-Origin' => 'https://myapp.com']
+);
+
+// Disable CORS for proxy scenarios
+$transport = new StreamableHttpTransport(
+    $request,
+    $responseFactory,
+    $streamFactory,
+    ['Access-Control-Allow-Origin' => '']
+);
+
+// Custom headers with logger
+$transport = new StreamableHttpTransport(
+    $request,
+    $responseFactory,
+    $streamFactory,
+    [
+        'Access-Control-Allow-Origin' => 'https://api.example.com',
+        'Access-Control-Max-Age' => '86400'
+    ],
+    $logger
+);
+```
+
+Default CORS headers:
+- `Access-Control-Allow-Origin: *`
+- `Access-Control-Allow-Methods: GET, POST, DELETE, OPTIONS`
+- `Access-Control-Allow-Headers: Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, Authorization, Accept`
+
 ### Architecture
 
 The HTTP transport doesn't run its own web server. Instead, it processes PSR-7 requests and returns PSR-7 responses that
