cypher - add middleware (#165)

* add CORS middleware, update HTTP transport tests, update config parsing, update readme, update changelog

* formatting

* change dockerfile default back to stdio

* allow_methods = POST, GET

* update manifest.json change default host to 127.0.0.1 from 0.0.0.0

* host validation middleware, update sse run with middleware, update readme and other conf files

* update changelog, dockerfile, docker-compose

tested with claude desktop with remote proxy

* replace all address examples with `example.com`

* fix utils unit tests

Author: a-s-g93

servers/mcp-neo4j-cypher/CHANGELOG.md

@@ -7,6 +7,9 @@
 
 ### Added
 * Added Cypher result sanitation function from Neo4j GraphRAG that removes embedding values from the result
+* Add env variable `NEO4J_MCP_SERVER_ALLOW_ORIGINS` and cli variable `--allow-origins` to configure CORS Middleware for remote deployments
+* Add env variable `NEO4J_MCP_SERVER_ALLOWED_HOSTS` and cli variable `--allowed-hosts` to configure Trusted Hosts Middleware for remote deployments
+* Update HTTP and SSE transports to use security middleware
 * Added `read_neo4j_cypher` query timeout configuration via `--read-timeout` CLI parameter and `NEO4J_READ_TIMEOUT` environment variable (defaults to 30 seconds)
 * Add response token limit for read Cypher responses
 

servers/mcp-neo4j-cypher/Dockerfile

@@ -26,10 +26,12 @@ ENV NEO4J_USERNAME="neo4j"
 ENV NEO4J_PASSWORD="password"
 ENV NEO4J_DATABASE="neo4j"
 ENV NEO4J_NAMESPACE=""
-ENV NEO4J_TRANSPORT="stdio"
+ENV NEO4J_TRANSPORT="http"
 ENV NEO4J_MCP_SERVER_HOST="0.0.0.0"
 ENV NEO4J_MCP_SERVER_PORT="8000"
 ENV NEO4J_MCP_SERVER_PATH="/api/mcp/"
+ENV NEO4J_MCP_SERVER_ALLOW_ORIGINS=""
+ENV NEO4J_MCP_SERVER_ALLOWED_HOSTS="localhost,127.0.0.1"
 
 EXPOSE 8000
 

servers/mcp-neo4j-cypher/Makefile

@@ -8,7 +8,7 @@ test-integration:
 	uv run pytest tests/integration/ -v
 
 test-http:
-	uv run pytest tests/integration/test_http_transport.py -v
+	uv run pytest tests/integration/test_http_transport_IT.py -v
 
 test-all:
 	uv run pytest tests/ -v

servers/mcp-neo4j-cypher/README.md

@@ -138,6 +138,61 @@ Choose your transport based on use case:
 - **Remote deployment**: Use `http`
 - **Legacy web clients**: Use `sse`
 
+## 🔒 Security Protection
+
+The server includes comprehensive security protection with **secure defaults** that protect against common web-based attacks while preserving full MCP functionality when using HTTP transport.
+
+### 🛡️ DNS Rebinding Protection
+
+**TrustedHost Middleware** validates Host headers to prevent DNS rebinding attacks:
+
+**Secure by Default:**
+- Only `localhost` and `127.0.0.1` hosts are allowed by default
+- Malicious websites cannot trick browsers into accessing your local server
+
+**Environment Variable:**
+```bash
+export NEO4J_MCP_SERVER_ALLOWED_HOSTS="example.com,www.example.com"
+```
+
+### 🌐 CORS Protection
+
+**Cross-Origin Resource Sharing (CORS)** protection blocks browser-based requests by default:
+
+**Environment Variable:**
+```bash
+export NEO4J_MCP_SERVER_ALLOW_ORIGINS="https://example.com,https://example.com"
+```
+
+### 🔧 Complete Security Configuration
+
+**Development Setup:**
+```bash
+mcp-neo4j-cypher --transport http \
+  --allowed-hosts "localhost,127.0.0.1" \
+  --allow-origins "http://localhost:3000"
+```
+
+**Production Setup:**
+```bash
+mcp-neo4j-cypher --transport http \
+  --allowed-hosts "example.com,www.example.com" \
+  --allow-origins "https://example.com,https://example.com"
+```
+
+
+### 🚨 Security Best Practices
+
+**For `allow_origins`:**
+- Be specific: `["https://example.com", "https://example.com"]`
+- Never use `"*"` in production with credentials
+- Use HTTPS origins in production
+
+**For `allowed_hosts`:**
+- Include your actual domain: `["example.com", "www.example.com"]`
+- Include localhost only for development
+- Never use `"*"` unless you understand the risks
+
 ## 🔧 Usage with Claude Desktop
 
 ### Using DXT
@@ -148,7 +203,7 @@ Download the latest `.dxt` file from the [releases page](https://github.com/neo4
 
 Can be found on PyPi https://pypi.org/project/mcp-neo4j-cypher/
 
-Add the server to your `claude_desktop_config.json` with the database connection configuration through environment variables. You may also specify the transport method and namespace with cli arguments or environment variables.
+Add the server to your `claude_desktop_config.json` with the database connection configuration through environment variables. You may also specify the transport method, namespace and other config variables with cli arguments or environment variables.
 
 ```json
 {
@@ -169,17 +224,24 @@ Add the server to your `claude_desktop_config.json` with the database connection
 
 ### 🌐 HTTP Transport Configuration
 
-For custom HTTP configurations beyond the defaults:
+For custom HTTP configurations with security middleware:
 
 ```bash
-# Custom HTTP configuration
-mcp-neo4j-cypher --transport http --server-host 127.0.0.1 --server-port 8080 --server-path /api/mcp/
-
-# Or using environment variables
+# Complete HTTP configuration with security
+mcp-neo4j-cypher --transport http \
+  --server-host 127.0.0.1 \
+  --server-port 8080 \
+  --server-path /api/mcp/ \
+  --allowed-hosts "localhost,127.0.0.1,example.com" \
+  --allow-origins "https://yourapp.com"
+
+# Using environment variables
 export NEO4J_TRANSPORT=http
 export NEO4J_MCP_SERVER_HOST=127.0.0.1
 export NEO4J_MCP_SERVER_PORT=8080
 export NEO4J_MCP_SERVER_PATH=/api/mcp/
+export NEO4J_MCP_SERVER_ALLOWED_HOSTS="localhost,127.0.0.1,example.com"
+export NEO4J_MCP_SERVER_ALLOW_ORIGINS="https://yourapp.com"
 mcp-neo4j-cypher
 ```
 
@@ -310,23 +372,39 @@ docker run --rm -p 8000:8000 \
   -e NEO4J_MCP_SERVER_PORT="8000" \
   -e NEO4J_MCP_SERVER_PATH="/mcp/" \
   mcp/neo4j-cypher:latest
+
+# Run with security middleware for production
+docker run --rm -p 8000:8000 \
+  -e NEO4J_URI="bolt://host.docker.internal:7687" \
+  -e NEO4J_USERNAME="neo4j" \
+  -e NEO4J_PASSWORD="password" \
+  -e NEO4J_DATABASE="neo4j" \
+  -e NEO4J_TRANSPORT="http" \
+  -e NEO4J_MCP_SERVER_HOST="0.0.0.0" \
+  -e NEO4J_MCP_SERVER_PORT="8000" \
+  -e NEO4J_MCP_SERVER_PATH="/mcp/" \
+  -e NEO4J_MCP_SERVER_ALLOWED_HOSTS="example.com,www.example.com" \
+  -e NEO4J_MCP_SERVER_ALLOW_ORIGINS="https://example.com" \
+  mcp/neo4j-cypher:latest
 ```
 
 ### 🔧 Environment Variables
 
-| Variable                      | Default                                 | Description                                    |
-| ----------------------------- | --------------------------------------- | ---------------------------------------------- |
-| `NEO4J_URI`                   | `bolt://localhost:7687`                 | Neo4j connection URI                           |
-| `NEO4J_USERNAME`              | `neo4j`                                 | Neo4j username                                 |
-| `NEO4J_PASSWORD`              | `password`                              | Neo4j password                                 |
-| `NEO4J_DATABASE`              | `neo4j`                                 | Neo4j database name                            |
-| `NEO4J_TRANSPORT`             | `stdio` (local), `http` (remote)        | Transport protocol (`stdio`, `http`, or `sse`) |
-| `NEO4J_NAMESPACE`             | _(empty)_                               | Tool namespace prefix                          |
-| `NEO4J_MCP_SERVER_HOST`       | `127.0.0.1` (local)                     | Host to bind to                                |
-| `NEO4J_MCP_SERVER_PORT`       | `8000`                                  | Port for HTTP/SSE transport                    |
-| `NEO4J_MCP_SERVER_PATH`       | `/api/mcp/`                             | Path for accessing MCP server                  |
-| `NEO4J_RESPONSE_TOKEN_LIMIT`  | _(none)_                                | Maximum tokens for read query responses        |
-| `NEO4J_READ_TIMEOUT`          | `30`                                    | Timeout in seconds for read queries            |
+| Variable                           | Default                                 | Description                                        |
+| ---------------------------------- | --------------------------------------- | -------------------------------------------------- |
+| `NEO4J_URI`                        | `bolt://localhost:7687`                 | Neo4j connection URI                               |
+| `NEO4J_USERNAME`                   | `neo4j`                                 | Neo4j username                                     |
+| `NEO4J_PASSWORD`                   | `password`                              | Neo4j password                                     |
+| `NEO4J_DATABASE`                   | `neo4j`                                 | Neo4j database name                                |
+| `NEO4J_TRANSPORT`                  | `stdio` (local), `http` (remote)        | Transport protocol (`stdio`, `http`, or `sse`)     |
+| `NEO4J_NAMESPACE`                  | _(empty)_                               | Tool namespace prefix                              |
+| `NEO4J_MCP_SERVER_HOST`            | `127.0.0.1` (local)                     | Host to bind to                                    |
+| `NEO4J_MCP_SERVER_PORT`            | `8000`                                  | Port for HTTP/SSE transport                        |
+| `NEO4J_MCP_SERVER_PATH`            | `/api/mcp/`                             | Path for accessing MCP server                      |
+| `NEO4J_MCP_SERVER_ALLOW_ORIGINS`   | _(empty - secure by default)_           | Comma-separated list of allowed CORS origins       |
+| `NEO4J_MCP_SERVER_ALLOWED_HOSTS`   | `localhost,127.0.0.1`                   | Comma-separated list of allowed hosts (DNS rebinding protection) |
+| `NEO4J_RESPONSE_TOKEN_LIMIT`       | _(none)_                                | Maximum tokens for read query responses            |
+| `NEO4J_READ_TIMEOUT`               | `30`                                    | Timeout in seconds for read queries                |
 
 ### 🌐 SSE Transport for Legacy Web Access
 

servers/mcp-neo4j-cypher/docker-compose.yml

@@ -25,6 +25,8 @@ services:
       - NEO4J_MCP_SERVER_PORT=8000
       - NEO4J_MCP_SERVER_PATH=/api/mcp/
       - NEO4J_NAMESPACE=local
+      - NEO4J_MCP_SERVER_ALLOWED_HOSTS=localhost,127.0.0.1
+      - NEO4J_MCP_SERVER_ALLOW_ORIGINS=""
     depends_on:
       - neo4j
 

servers/mcp-neo4j-cypher/manifest.json

@@ -32,6 +32,8 @@
         "NEO4J_MCP_SERVER_HOST": "${user_config.mcp_server_host}",
         "NEO4J_MCP_SERVER_PORT": "${user_config.mcp_server_port}",
         "NEO4J_MCP_SERVER_PATH": "${user_config.mcp_server_path}",
+        "NEO4J_MCP_SERVER_ALLOW_ORIGINS": "${user_config.mcp_server_allow_origins}",
+        "NEO4J_MCP_SERVER_ALLOWED_HOSTS": "${user_config.mcp_server_allowed_hosts}",
         "NEO4J_RESPONSE_TOKEN_LIMIT": "${user_config.token_limit}",
         "NEO4J_READ_TIMEOUT": "${user_config.read_timeout}"
       }
@@ -127,6 +129,14 @@
       "required": false,
       "sensitive": false
     },
+    "mcp_server_allow_origins": {
+      "type": "string",
+      "title": "MCP Server Allow Origins",
+      "description": "The allowed origins for the MCP server as a comma-separated list, if not using stdio. Defaults to no allowed origins",
+      "default": "",
+      "required": false,
+      "sensitive": false
+    },
     "token_limit": {
       "type": "number",
       "title": "Response token limit",
@@ -135,6 +145,14 @@
       "required": false,
       "sensitive": false
     },
+    "mcp_server_allowed_hosts": {
+      "type": "string",
+      "title": "MCP Server Allowed Hosts",
+      "description": "The allowed hosts for the MCP server as a comma-separated list, if not using stdio. Defaults to localhost and 127.0.0.1",
+      "default": "localhost,127.0.0.1",
+      "required": false,
+      "sensitive": false
+    },
     "read_timeout": {
       "type": "number",
       "title": "Read timeout",

servers/mcp-neo4j-cypher/src/mcp_neo4j_cypher/__init__.py

@@ -21,6 +21,16 @@ def main():
     )
     parser.add_argument("--server-host", default=None, help="Server host")
     parser.add_argument("--server-port", default=None, help="Server port")
+    parser.add_argument(
+        "--allow-origins",
+        default=None,
+        help="Allow origins for remote servers (comma-separated list)",
+    )
+    parser.add_argument(
+        "--allowed-hosts",
+        default=None,
+        help="Allowed hosts for DNS rebinding protection on remote servers(comma-separated list)",
+    )
     parser.add_argument(
         "--read-timeout", 
         type=int, 

servers/mcp-neo4j-cypher/src/mcp_neo4j_cypher/server.py

@@ -10,6 +10,11 @@
 from neo4j import AsyncDriver, AsyncGraphDatabase, RoutingControl, Query
 from neo4j.exceptions import ClientError, Neo4jError
 from pydantic import Field
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+from starlette.middleware.trustedhost import TrustedHostMiddleware
+
+from .utils import _value_sanitize
 from .utils import _value_sanitize, _truncate_string_to_tokens
 
 logger = logging.getLogger("mcp_neo4j_cypher")
@@ -263,6 +268,8 @@ async def main(
     host: str = "127.0.0.1",
     port: int = 8000,
     path: str = "/mcp/",
+    allow_origins: list[str] = [],
+    allowed_hosts: list[str] = [],
     read_timeout: int = 30,
     token_limit: Optional[int] = None,
 ) -> None:
@@ -275,7 +282,17 @@ async def main(
             password,
         ),
     )
-
+    custom_middleware = [
+        Middleware(
+            CORSMiddleware,
+            allow_origins=allow_origins,
+            allow_methods=["GET", "POST"],
+            allow_headers=["*"],
+        ),
+        Middleware(TrustedHostMiddleware, 
+                   allowed_hosts=allowed_hosts)
+    ]
+    
     mcp = create_mcp_server(neo4j_driver, database, namespace, read_timeout, token_limit)
 
     # Run the server with the specified transport
@@ -284,15 +301,17 @@ async def main(
             logger.info(
                 f"Running Neo4j Cypher MCP Server with HTTP transport on {host}:{port}..."
             )
-            await mcp.run_http_async(host=host, port=port, path=path)
+            await mcp.run_http_async(
+                host=host, port=port, path=path, middleware=custom_middleware
+            )
         case "stdio":
             logger.info("Running Neo4j Cypher MCP Server with stdio transport...")
             await mcp.run_stdio_async()
         case "sse":
             logger.info(
                 f"Running Neo4j Cypher MCP Server with SSE transport on {host}:{port}..."
             )
-            await mcp.run_sse_async(host=host, port=port, path=path)
+            await mcp.run_http_async(host=host, port=port, path=path, middleware=custom_middleware, transport="sse")
         case _:
             logger.error(
                 f"Invalid transport: {transport} | Must be either 'stdio', 'sse', or 'http'"

servers/mcp-neo4j-cypher/src/mcp_neo4j_cypher/utils.py

@@ -170,6 +170,43 @@ def process_config(args: argparse.Namespace) -> dict[str, Union[str, int, None]]
             )
             config["path"] = None
 
+    # parse allow origins
+    if args.allow_origins is not None:
+        # Handle comma-separated string from CLI
+     
+        config["allow_origins"] = [origin.strip() for origin in args.allow_origins.split(",") if origin.strip()]
+
+    else:
+        if os.getenv("NEO4J_MCP_SERVER_ALLOW_ORIGINS") is not None:
+            # split comma-separated string into list
+            config["allow_origins"] = [
+                origin.strip() for origin in os.getenv("NEO4J_MCP_SERVER_ALLOW_ORIGINS", "").split(",") 
+                if origin.strip()
+            ]
+        else:
+            logger.info(
+                "Info: No allow origins provided. Defaulting to no allowed origins."
+            )
+            config["allow_origins"] = list()
+
+    # parse allowed hosts for DNS rebinding protection
+    if args.allowed_hosts is not None:
+        # Handle comma-separated string from CLI
+        config["allowed_hosts"] = [host.strip() for host in args.allowed_hosts.split(",") if host.strip()]
+      
+    else:
+        if os.getenv("NEO4J_MCP_SERVER_ALLOWED_HOSTS") is not None:
+            # split comma-separated string into list
+            config["allowed_hosts"] = [
+                host.strip() for host in os.getenv("NEO4J_MCP_SERVER_ALLOWED_HOSTS", "").split(",") 
+                if host.strip()
+            ]
+        else:
+            logger.info(
+                "Info: No allowed hosts provided. Defaulting to secure mode - only localhost and 127.0.0.1 allowed."
+            )
+            config["allowed_hosts"] = ["localhost", "127.0.0.1"]
+            
     # parse token limit
     if args.token_limit is not None:
         config["token_limit"] = args.token_limit
@@ -258,7 +295,6 @@ def _value_sanitize(d: Any, list_limit: int = 128) -> Any:
     else:
         return d
 
-
 def _truncate_string_to_tokens(
     text: str, token_limit: int, model: str = "gpt-4"
 ) -> str: