chore: warn about insecure httpHost usage - MCP-184 (#541)

Author: blva

src/common/logger.ts

@@ -56,6 +56,7 @@ export const LogId = {
     streamableHttpTransportCloseFailure: mongoLogId(1_006_006),
     streamableHttpTransportKeepAliveFailure: mongoLogId(1_006_007),
     streamableHttpTransportKeepAlive: mongoLogId(1_006_008),
+    streamableHttpTransportHttpHostWarning: mongoLogId(1_006_009),
 
     exportCleanupError: mongoLogId(1_007_001),
     exportCreationError: mongoLogId(1_007_002),

src/transports/streamableHttp.ts

@@ -205,6 +205,15 @@ export class StreamableHttpRunner extends TransportRunnerBase {
             message: `Server started on ${this.serverAddress}`,
             noRedaction: true,
         });
+
+        if (this.shouldWarnAboutHttpHost(this.userConfig.httpHost)) {
+            this.logger.warning({
+                id: LogId.streamableHttpTransportHttpHostWarning,
+                context: "streamableHttpTransport",
+                message: `Binding to ${this.userConfig.httpHost} can expose the MCP Server to the entire local network, which allows other devices on the same network to potentially access the MCP Server. This is a security risk and could allow unauthorized access to your database context.`,
+                noRedaction: true,
+            });
+        }
     }
 
     async closeTransport(): Promise<void> {
@@ -243,4 +252,10 @@ export class StreamableHttpRunner extends TransportRunnerBase {
             });
         };
     }
+
+    private shouldWarnAboutHttpHost(httpHost: string): boolean {
+        const host = httpHost.trim();
+        const safeHosts = new Set(["127.0.0.1", "localhost", "::1"]);
+        return host === "0.0.0.0" || host === "::" || (!safeHosts.has(host) && host !== "");
+    }
 }