Skip to content

[Server] Missing Mcp-Protocol-Version to access control #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2025
Merged

[Server] Missing Mcp-Protocol-Version to access control #110

merged 1 commit into from
Oct 20, 2025

Conversation

@soyuka
Copy link
Contributor

@soyuka soyuka commented Oct 17, 2025

No description provided.

soyuka
soyuka commented Oct 17, 2025
View reviewed changes
src/Server/Transport/StreamableHttpTransport.php
'Access-Control-Allow-Methods' => 'GET, POST, DELETE, OPTIONS',
'Access-Control-Allow-Headers' => 'Content-Type, Mcp-Session-Id, Last-Event-ID, Authorization, Accept',
'Access-Control-Allow-Headers' => 'Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, Authorization, Accept',
];
Copy link
Contributor Author

@soyuka soyuka Oct 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to leave security features to the actual HTTP Proxy server that's running PHP (ie ngin/php/symfony)? Indeed this is hiding security settings and we've no ways of changing it.

Copy link
Member

@chr-hertel chr-hertel Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that this is quite opinionated - at least we should have some config to shut it off or overwrite the actual values

chr-hertel
chr-hertel approved these changes Oct 20, 2025
View reviewed changes
Copy link
Member

@chr-hertel chr-hertel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @soyuka!

src/Server/Transport/StreamableHttpTransport.php
'Access-Control-Allow-Methods' => 'GET, POST, DELETE, OPTIONS',
'Access-Control-Allow-Headers' => 'Content-Type, Mcp-Session-Id, Last-Event-ID, Authorization, Accept',
'Access-Control-Allow-Headers' => 'Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, Authorization, Accept',
];
Copy link
Member

@chr-hertel chr-hertel Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that this is quite opinionated - at least we should have some config to shut it off or overwrite the actual values

@chr-hertel chr-hertel merged commit 6100ffc into modelcontextprotocol:main Oct 20, 2025
10 checks passed
@chr-hertel chr-hertel changed the title Missing Mcp-Protocol-Version to access control [Server] Missing Mcp-Protocol-Version to access control Oct 20, 2025
@chr-hertel chr-hertel added the Server Issues & PRs related to the Server component label Oct 20, 2025
@chr-hertel chr-hertel mentioned this pull request Oct 20, 2025
Closed
bigdevlarry pushed a commit to bigdevlarry/php-sdk that referenced this pull request Nov 10, 2025
@soyuka @bigdevlarry
Missing Mcp-Protocol-Version to access control (modelcontextprotocol#110
8f825f3 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chr-hertel chr-hertel chr-hertel approved these changes

@Nyholm Nyholm Awaiting requested review from Nyholm Nyholm is a code owner

@CodeWithKyrian CodeWithKyrian Awaiting requested review from CodeWithKyrian CodeWithKyrian is a code owner

Assignees

No one assigned

Labels

Server Issues & PRs related to the Server component

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@soyuka @chr-hertel