Fix CORS middleware implementation to wrap entire application

felixweinberger · felixweinberger · commit 992df5972d13 · 2025-08-21T14:04:22.000+01:00
- Change from add_middleware() to CORSMiddleware wrapper pattern
- Ensures 500 errors get proper CORS headers for browser clients
- Update both streamable HTTP example servers
- Fix README documentation to show complete example

Reported-by: Jerome
diff --git a/README.md b/README.md
@@ -718,11 +718,15 @@ The streamable HTTP transport supports:
 If you'd like your server to be accessible by browser-based MCP clients, you'll need to configure CORS headers. The `Mcp-Session-Id` header must be exposed for browser clients to access it:
 
 ```python
+from starlette.applications import Starlette
 from starlette.middleware.cors import CORSMiddleware
 
-# Add CORS middleware to your Starlette app
-app = CORSMiddleware(
-    app,
+# Create your Starlette app first
+starlette_app = Starlette(routes=[...])
+
+# Then wrap it with CORS middleware
+starlette_app = CORSMiddleware(
+    starlette_app,
     allow_origins=["*"],  # Configure appropriately for production
     allow_methods=["GET", "POST", "DELETE"],  # MCP streamable HTTP methods
     expose_headers=["Mcp-Session-Id"],
diff --git a/examples/servers/simple-streamablehttp-stateless/mcp_simple_streamablehttp_stateless/server.py b/examples/servers/simple-streamablehttp-stateless/mcp_simple_streamablehttp_stateless/server.py
@@ -133,9 +133,10 @@ async def lifespan(app: Starlette) -> AsyncIterator[None]:
         lifespan=lifespan,
     )
     
-    # Add CORS middleware to expose Mcp-Session-Id header for browser-based clients
-    starlette_app.add_middleware(
-        CORSMiddleware,
+    # Wrap ASGI application with CORS middleware to expose Mcp-Session-Id header
+    # for browser-based clients (ensures 500 errors get proper CORS headers)
+    starlette_app = CORSMiddleware(
+        starlette_app,
         allow_origins=["*"],  # Allow all origins - adjust as needed for production
         allow_methods=["GET", "POST", "DELETE"],  # MCP streamable HTTP methods
         expose_headers=["Mcp-Session-Id"],
diff --git a/examples/servers/simple-streamablehttp/mcp_simple_streamablehttp/server.py b/examples/servers/simple-streamablehttp/mcp_simple_streamablehttp/server.py
@@ -161,9 +161,10 @@ async def lifespan(app: Starlette) -> AsyncIterator[None]:
         lifespan=lifespan,
     )
     
-    # Add CORS middleware to expose Mcp-Session-Id header for browser-based clients
-    starlette_app.add_middleware(
-        CORSMiddleware,
+    # Wrap ASGI application with CORS middleware to expose Mcp-Session-Id header
+    # for browser-based clients (ensures 500 errors get proper CORS headers)
+    starlette_app = CORSMiddleware(
+        starlette_app,
         allow_origins=["*"],  # Allow all origins - adjust as needed for production
         allow_methods=["GET", "POST", "DELETE"],  # MCP streamable HTTP methods
         expose_headers=["Mcp-Session-Id"],
