memory - add security middleware (#169)

* add security middleware

update config args, changelog, readme, tests based on Cypher MCP middleware implementation

* add env defaults to dockerfile

Author: a-s-g93

servers/mcp-neo4j-memory/CHANGELOG.md

@@ -6,6 +6,10 @@
 * Change default transport to `stdio` in Dockerfile
 
 ### Added
+* Add env variable `NEO4J_MCP_SERVER_ALLOW_ORIGINS` and cli variable `--allow-origins` to configure CORS Middleware for remote deployments
+* Add env variable `NEO4J_MCP_SERVER_ALLOWED_HOSTS` and cli variable `--allowed-hosts` to configure Trusted Hosts Middleware for remote deployments
+* Update HTTP and SSE transports to use security middleware
+* Add comprehensive HTTP transport integration tests with security middleware testing
 
 ## v0.3.0
 

servers/mcp-neo4j-memory/Dockerfile

@@ -28,6 +28,8 @@ ENV NEO4J_TRANSPORT="stdio"
 ENV NEO4J_MCP_SERVER_HOST="0.0.0.0"
 ENV NEO4J_MCP_SERVER_PORT="8000"
 ENV NEO4J_MCP_SERVER_PATH="/api/mcp/"
+ENV NEO4J_MCP_SERVER_ALLOW_ORIGINS=""
+ENV NEO4J_MCP_SERVER_ALLOWED_HOSTS="localhost,127.0.0.1"
 
 # Command to run the server using the package entry point
 CMD ["sh", "-c", "mcp-neo4j-memory"]

servers/mcp-neo4j-memory/README.md

@@ -195,6 +195,134 @@ The server supports three transport modes:
 }
 ```
 
+## 🔒 Security Protection
+
+The server includes comprehensive security protection with **secure defaults** that protect against common web-based attacks while preserving full MCP functionality when using HTTP transport.
+
+### 🛡️ DNS Rebinding Protection
+
+**TrustedHost Middleware** validates Host headers to prevent DNS rebinding attacks:
+
+**Secure by Default:**
+- Only `localhost` and `127.0.0.1` hosts are allowed by default
+
+**Environment Variable:**
+```bash
+export NEO4J_MCP_SERVER_ALLOWED_HOSTS="example.com,www.example.com"
+```
+
+### 🌐 CORS Protection
+
+**Cross-Origin Resource Sharing (CORS)** protection blocks browser-based requests by default:
+
+**Environment Variable:**
+```bash
+export NEO4J_MCP_SERVER_ALLOW_ORIGINS="https://example.com,https://app.example.com"
+```
+
+### 🔧 Complete Security Configuration
+
+**Development Setup:**
+```bash
+mcp-neo4j-memory --transport http \
+  --allowed-hosts "localhost,127.0.0.1" \
+  --allow-origins "http://localhost:3000"
+```
+
+**Production Setup:**
+```bash
+mcp-neo4j-memory --transport http \
+  --allowed-hosts "example.com,www.example.com" \
+  --allow-origins "https://example.com,https://app.example.com"
+```
+
+### 🚨 Security Best Practices
+
+**For `allow_origins`:**
+- Be specific: `["https://example.com", "https://example.com"]`
+- Never use `"*"` in production with credentials
+- Use HTTPS origins in production
+
+**For `allowed_hosts`:**
+- Include your actual domain: `["example.com", "www.example.com"]`
+- Include localhost only for development
+- Never use `"*"` unless you understand the risks
+
+## 🐳 Docker Deployment
+
+The Neo4j Memory MCP server can be deployed using Docker for remote deployments. Docker deployment should use HTTP transport for web accessibility. In order to integrate this deployment with applications like Claude Desktop, you will have to use a proxy in your MCP configuration such as `mcp-remote`.
+
+### 📦 Using Your Built Image
+
+After building locally with `docker build -t mcp-neo4j-memory:latest .`:
+
+```bash
+# Run with http transport (default for Docker)
+docker run --rm -p 8000:8000 \
+  -e NEO4J_URI="bolt://host.docker.internal:7687" \
+  -e NEO4J_USERNAME="neo4j" \
+  -e NEO4J_PASSWORD="password" \
+  -e NEO4J_DATABASE="neo4j" \
+  -e NEO4J_TRANSPORT="http" \
+  -e NEO4J_MCP_SERVER_HOST="0.0.0.0" \
+  -e NEO4J_MCP_SERVER_PORT="8000" \
+  -e NEO4J_MCP_SERVER_PATH="/mcp/" \
+  mcp/neo4j-memory:latest
+
+# Run with security middleware for production
+docker run --rm -p 8000:8000 \
+  -e NEO4J_URI="bolt://host.docker.internal:7687" \
+  -e NEO4J_USERNAME="neo4j" \
+  -e NEO4J_PASSWORD="password" \
+  -e NEO4J_DATABASE="neo4j" \
+  -e NEO4J_TRANSPORT="http" \
+  -e NEO4J_MCP_SERVER_HOST="0.0.0.0" \
+  -e NEO4J_MCP_SERVER_PORT="8000" \
+  -e NEO4J_MCP_SERVER_PATH="/mcp/" \
+  -e NEO4J_MCP_SERVER_ALLOWED_HOSTS="example.com,www.example.com" \
+  -e NEO4J_MCP_SERVER_ALLOW_ORIGINS="https://example.com" \
+  mcp/neo4j-memory:latest
+```
+
+### 🔧 Environment Variables
+
+| Variable                           | Default                                 | Description                                        |
+| ---------------------------------- | --------------------------------------- | -------------------------------------------------- |
+| `NEO4J_URI`                        | `bolt://localhost:7687`                 | Neo4j connection URI                               |
+| `NEO4J_USERNAME`                   | `neo4j`                                 | Neo4j username                                     |
+| `NEO4J_PASSWORD`                   | `password`                              | Neo4j password                                     |
+| `NEO4J_DATABASE`                   | `neo4j`                                 | Neo4j database name                                |
+| `NEO4J_TRANSPORT`                  | `stdio` (local), `http` (remote)        | Transport protocol (`stdio`, `http`, or `sse`)     |
+| `NEO4J_MCP_SERVER_HOST`            | `127.0.0.1` (local)                     | Host to bind to                                    |
+| `NEO4J_MCP_SERVER_PORT`            | `8000`                                  | Port for HTTP/SSE transport                        |
+| `NEO4J_MCP_SERVER_PATH`            | `/mcp/`                                 | Path for accessing MCP server                      |
+| `NEO4J_MCP_SERVER_ALLOW_ORIGINS`   | _(empty - secure by default)_           | Comma-separated list of allowed CORS origins       |
+| `NEO4J_MCP_SERVER_ALLOWED_HOSTS`   | `localhost,127.0.0.1`                   | Comma-separated list of allowed hosts (DNS rebinding protection) |
+
+### 🌐 SSE Transport for Legacy Web Access
+
+When using SSE transport (for legacy web clients), the server exposes an HTTP endpoint:
+
+```bash
+# Start the server with SSE transport
+docker run -d -p 8000:8000 \
+  -e NEO4J_URI="neo4j+s://demo.neo4jlabs.com" \
+  -e NEO4J_USERNAME="recommendations" \
+  -e NEO4J_PASSWORD="recommendations" \
+  -e NEO4J_DATABASE="neo4j" \
+  -e NEO4J_TRANSPORT="sse" \
+  -e NEO4J_MCP_SERVER_HOST="0.0.0.0" \
+  -e NEO4J_MCP_SERVER_PORT="8000" \
+  --name neo4j-memory-mcp-server \
+  mcp-neo4j-memory:latest
+
+# Test the SSE endpoint
+curl http://localhost:8000/sse
+
+# Use with MCP Inspector
+npx @modelcontextprotocol/inspector http://localhost:8000/sse
+```
+
 ## 🚀 Development
 
 ### 📦 Prerequisites

servers/mcp-neo4j-memory/pyproject.toml

@@ -8,6 +8,7 @@ dependencies = [
     "fastmcp>=2.0.0",
     "neo4j>=5.26.0",
     "pydantic>=2.10.1",
+    "starlette>=0.28.0",
 ]
 
 [build-system]

servers/mcp-neo4j-memory/src/mcp_neo4j_memory/__init__.py

@@ -19,6 +19,8 @@ def main():
     parser.add_argument("--server-host", default=None, help="HTTP host (default: 127.0.0.1)")
     parser.add_argument("--server-port", type=int, default=None, help="HTTP port (default: 8000)")
     parser.add_argument("--server-path", default=None, help="HTTP path (default: /mcp/)")
+    parser.add_argument("--allow-origins", default=None, help="Comma-separated list of allowed CORS origins")
+    parser.add_argument("--allowed-hosts", default=None, help="Comma-separated list of allowed hosts for DNS rebinding protection")
 
     args = parser.parse_args()
     config = process_config(args)

servers/mcp-neo4j-memory/src/mcp_neo4j_memory/server.py

@@ -4,6 +4,9 @@
 
 from neo4j import AsyncGraphDatabase
 from pydantic import Field
+from starlette.middleware import Middleware
+from starlette.middleware.cors import CORSMiddleware
+from starlette.middleware.trustedhost import TrustedHostMiddleware
 
 from fastmcp.server import FastMCP
 from fastmcp.exceptions import ToolError
@@ -203,14 +206,16 @@ async def find_memories_by_name(names: list[str] = Field(..., description="List
 
 
 async def main(
-    neo4j_uri: str, 
-    neo4j_user: str, 
-    neo4j_password: str, 
+    neo4j_uri: str,
+    neo4j_user: str,
+    neo4j_password: str,
     neo4j_database: str,
     transport: Literal["stdio", "sse", "http"] = "stdio",
     host: str = "127.0.0.1",
     port: int = 8000,
     path: str = "/mcp/",
+    allow_origins: list[str] = [],
+    allowed_hosts: list[str] = [],
 ) -> None:
     logger.info(f"Starting Neo4j MCP Memory Server")
     logger.info(f"Connecting to Neo4j with DB URL: {neo4j_uri}")
@@ -237,6 +242,18 @@ async def main(
     # Create fulltext index
     await memory.create_fulltext_index()
 
+    # Configure security middleware
+    custom_middleware = [
+        Middleware(
+            CORSMiddleware,
+            allow_origins=allow_origins,
+            allow_methods=["GET", "POST"],
+            allow_headers=["*"],
+        ),
+        Middleware(TrustedHostMiddleware,
+                   allowed_hosts=allowed_hosts)
+    ]
+
     # Create MCP server
     mcp = create_mcp_server(memory)
     logger.info("MCP server created")
@@ -246,12 +263,12 @@ async def main(
     match transport:
         case "http":
             logger.info(f"HTTP server starting on {host}:{port}{path}")
-            await mcp.run_http_async(host=host, port=port, path=path)
+            await mcp.run_http_async(host=host, port=port, path=path, middleware=custom_middleware)
         case "stdio":
             logger.info("STDIO server starting")
             await mcp.run_stdio_async()
         case "sse":
             logger.info(f"SSE server starting on {host}:{port}{path}")
-            await mcp.run_sse_async(host=host, port=port, path=path)
+            await mcp.run_http_async(host=host, port=port, path=path, middleware=custom_middleware, transport="sse")
         case _:
             raise ValueError(f"Unsupported transport: {transport}")

servers/mcp-neo4j-memory/src/mcp_neo4j_memory/utils.py

@@ -129,4 +129,41 @@ def process_config(args: argparse.Namespace) -> dict[str, Union[str, int, None]]
             logger.info("Info: No server path provided and transport is `stdio`. `server_path` will be None.")
             config["path"] = None
 
+    # parse allow origins
+    if args.allow_origins is not None:
+        # Handle comma-separated string from CLI
+     
+        config["allow_origins"] = [origin.strip() for origin in args.allow_origins.split(",") if origin.strip()]
+
+    else:
+        if os.getenv("NEO4J_MCP_SERVER_ALLOW_ORIGINS") is not None:
+            # split comma-separated string into list
+            config["allow_origins"] = [
+                origin.strip() for origin in os.getenv("NEO4J_MCP_SERVER_ALLOW_ORIGINS", "").split(",") 
+                if origin.strip()
+            ]
+        else:
+            logger.info(
+                "Info: No allow origins provided. Defaulting to no allowed origins."
+            )
+            config["allow_origins"] = list()
+
+    # parse allowed hosts for DNS rebinding protection
+    if args.allowed_hosts is not None:
+        # Handle comma-separated string from CLI
+        config["allowed_hosts"] = [host.strip() for host in args.allowed_hosts.split(",") if host.strip()]
+      
+    else:
+        if os.getenv("NEO4J_MCP_SERVER_ALLOWED_HOSTS") is not None:
+            # split comma-separated string into list
+            config["allowed_hosts"] = [
+                host.strip() for host in os.getenv("NEO4J_MCP_SERVER_ALLOWED_HOSTS", "").split(",") 
+                if host.strip()
+            ]
+        else:
+            logger.info(
+                "Info: No allowed hosts provided. Defaulting to secure mode - only localhost and 127.0.0.1 allowed."
+            )
+            config["allowed_hosts"] = ["localhost", "127.0.0.1"]
+    
     return config