fix: enable DNS rebinding protection by default

conformance-test/src/main/kotlin/io/modelcontextprotocol/kotlin/sdk/conformance/ConformanceServer.kt

@@ -19,8 +19,6 @@ fun main() {
             json(McpJson)
         }
         mcpStreamableHttp(
-            enableDnsRebindingProtection = true,
-            allowedHosts = listOf("localhost", "127.0.0.1", "localhost:$port", "127.0.0.1:$port"),
             eventStore = InMemoryEventStore(),
         ) {
             createConformanceServer()

kotlin-sdk-server/api/kotlin-sdk-server.api

@@ -28,16 +28,31 @@ public final class io/modelcontextprotocol/kotlin/sdk/server/ClientConnection$De
 	public static synthetic fun ping$default (Lio/modelcontextprotocol/kotlin/sdk/server/ClientConnection;Lio/modelcontextprotocol/kotlin/sdk/types/PingRequest;Lio/modelcontextprotocol/kotlin/sdk/shared/RequestOptions;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
 }
 
+public final class io/modelcontextprotocol/kotlin/sdk/server/DnsRebindingProtectionConfig {
+	public fun <init> ()V
+	public final fun getAllowedHosts ()Ljava/util/List;
+	public final fun getAllowedOrigins ()Ljava/util/List;
+	public final fun setAllowedHosts (Ljava/util/List;)V
+	public final fun setAllowedOrigins (Ljava/util/List;)V
+}
+
 public abstract interface class io/modelcontextprotocol/kotlin/sdk/server/EventStore {
 	public abstract fun getStreamIdForEventId (Ljava/lang/String;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public abstract fun replayEventsAfter (Ljava/lang/String;Lkotlin/jvm/functions/Function3;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public abstract fun storeEvent (Ljava/lang/String;Lio/modelcontextprotocol/kotlin/sdk/types/JSONRPCMessage;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 }
 
+public final class io/modelcontextprotocol/kotlin/sdk/server/HostValidationKt {
+	public static final fun getDnsRebindingProtection ()Lio/ktor/server/application/RouteScopedPlugin;
+}
+
 public final class io/modelcontextprotocol/kotlin/sdk/server/KtorServerKt {
-	public static final fun mcp (Lio/ktor/server/application/Application;Lkotlin/jvm/functions/Function1;)V
-	public static final fun mcp (Lio/ktor/server/routing/Route;Ljava/lang/String;Lkotlin/jvm/functions/Function1;)V
-	public static final fun mcp (Lio/ktor/server/routing/Route;Lkotlin/jvm/functions/Function1;)V
+	public static final fun mcp (Lio/ktor/server/application/Application;ZLjava/util/List;Ljava/util/List;Lkotlin/jvm/functions/Function1;)V
+	public static final fun mcp (Lio/ktor/server/routing/Route;Ljava/lang/String;ZLjava/util/List;Ljava/util/List;Lkotlin/jvm/functions/Function1;)V
+	public static final fun mcp (Lio/ktor/server/routing/Route;ZLjava/util/List;Ljava/util/List;Lkotlin/jvm/functions/Function1;)V
+	public static synthetic fun mcp$default (Lio/ktor/server/application/Application;ZLjava/util/List;Ljava/util/List;Lkotlin/jvm/functions/Function1;ILjava/lang/Object;)V
+	public static synthetic fun mcp$default (Lio/ktor/server/routing/Route;Ljava/lang/String;ZLjava/util/List;Ljava/util/List;Lkotlin/jvm/functions/Function1;ILjava/lang/Object;)V
+	public static synthetic fun mcp$default (Lio/ktor/server/routing/Route;ZLjava/util/List;Ljava/util/List;Lkotlin/jvm/functions/Function1;ILjava/lang/Object;)V
 	public static final fun mcpStatelessStreamableHttp (Lio/ktor/server/application/Application;Ljava/lang/String;ZLjava/util/List;Ljava/util/List;Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;Lkotlin/jvm/functions/Function1;)V
 	public static synthetic fun mcpStatelessStreamableHttp$default (Lio/ktor/server/application/Application;Ljava/lang/String;ZLjava/util/List;Ljava/util/List;Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;Lkotlin/jvm/functions/Function1;ILjava/lang/Object;)V
 	public static final fun mcpStreamableHttp (Lio/ktor/server/application/Application;Ljava/lang/String;ZLjava/util/List;Ljava/util/List;Lio/modelcontextprotocol/kotlin/sdk/server/EventStore;Lkotlin/jvm/functions/Function1;)V

kotlin-sdk-server/src/commonMain/kotlin/io/modelcontextprotocol/kotlin/sdk/server/HostValidation.kt

@@ -0,0 +1,139 @@
+package io.modelcontextprotocol.kotlin.sdk.server
+
+import io.ktor.http.ContentType
+import io.ktor.http.HttpHeaders
+import io.ktor.http.HttpStatusCode
+import io.ktor.server.application.ApplicationCall
+import io.ktor.server.application.RouteScopedPlugin
+import io.ktor.server.application.createRouteScopedPlugin
+import io.ktor.server.request.header
+import io.ktor.server.response.respondText
+import io.modelcontextprotocol.kotlin.sdk.types.JSONRPCError
+import io.modelcontextprotocol.kotlin.sdk.types.McpJson
+import io.modelcontextprotocol.kotlin.sdk.types.RPCError
+
+/**
+ * Default list of hostnames allowed for localhost DNS rebinding protection.
+ * Matches the TypeScript SDK's `localhostAllowedHostnames()`.
+ */
+internal val LOCALHOST_ALLOWED_HOSTS: List<String> = listOf("localhost", "127.0.0.1", "[::1]")
+
+/**
+ * Characters that are valid in a URL but must not appear in an HTTP `Host` header.
+ * Rejecting them prevents the parser from accepting malformed values
+ * (e.g. `evil.com@localhost`, `host/path`) that a generic URL parser would silently allow.
+ */
+private val FORBIDDEN_HOST_CHARS: CharArray = charArrayOf('/', '@', '?', '#')
+
+/**
+ * Extracts the hostname from a Host header value, stripping the port.
+ *
+ * Only accepts the strict `host [ ":" port ]` / `"[" ipv6 "]" [ ":" port ]`
+ * format defined by RFC 7230. Values containing URL-only characters
+ * (`/`, `@`, `?`, `#`) or whitespace are rejected.
+ *
+ * Examples:
+ * - `"localhost:3000"` → `"localhost"`
+ * - `"127.0.0.1:8080"` → `"127.0.0.1"`
+ * - `"[::1]:3000"` → `"[::1]"`
+ * - `"example.com"` → `"example.com"`
+ * - `"evil.com@localhost"` → `null`
+ *
+ * @return the hostname, or `null` if the value is blank, malformed, or contains forbidden characters.
+ */
+internal fun extractHostname(hostHeader: String): String? = when {
+    hostHeader.isBlank() -> null
+
+    hostHeader.any { it in FORBIDDEN_HOST_CHARS || it.isWhitespace() } -> null
+
+    hostHeader.startsWith("[") -> {
+        val end = hostHeader.indexOf(']')
+        val tail = if (end > 0) hostHeader.substring(end + 1) else ""
+        if (end > 0 && (tail.isEmpty() || tail.startsWith(':'))) {
+            hostHeader.substring(0, end + 1)
+        } else {
+            null
+        }
+    }
+
+    else -> hostHeader.substringBefore(':').ifEmpty { null }
+}
+
+/**
+ * Configuration for the [DnsRebindingProtection] Ktor route-scoped plugin.
+ *
+ * @property allowedHosts List of hostnames allowed in the `Host` header.
+ *     Comparison is port-agnostic and case-insensitive.
+ *     Defaults to [LOCALHOST_ALLOWED_HOSTS].
+ *     An empty list will reject **all** requests.
+ * @property allowedOrigins Optional list of allowed `Origin` header values.
+ *     If `null`, origin validation is disabled.
+ *     If configured, requests **with** an `Origin` header not in the list are rejected,
+ *     but requests **without** an `Origin` header are allowed (non-browser clients).
+ */
+public class DnsRebindingProtectionConfig {
+    public var allowedHosts: List<String> = LOCALHOST_ALLOWED_HOSTS
+    public var allowedOrigins: List<String>? = null
+}
+
+/**
+ * Ktor route-scoped plugin that validates `Host` and `Origin` headers
+ * to protect against DNS rebinding attacks.
+ *
+ * Install on a route to intercept all requests **before** handlers:
+ * ```kotlin
+ * route("/mcp") {
+ *     install(DnsRebindingProtection) {
+ *         allowedHosts = listOf("myapp.com", "localhost")
+ *     }
+ *     // handlers...
+ * }
+ * ```
+ */
+public val DnsRebindingProtection: RouteScopedPlugin<DnsRebindingProtectionConfig> =
+    createRouteScopedPlugin(
+        "MCP-DnsRebindingProtection",
+        ::DnsRebindingProtectionConfig,
+    ) {
+        val hosts: Set<String> = pluginConfig.allowedHosts.mapTo(mutableSetOf()) {
+            extractHostname(it)?.lowercase() ?: it.lowercase()
+        }
+        val origins: Set<String>? = pluginConfig.allowedOrigins?.mapTo(mutableSetOf()) { it.lowercase() }
+
+        onCall { call ->
+            val hostHeader = call.request.header(HttpHeaders.Host)
+            val hostname = hostHeader?.let { extractHostname(it) }?.lowercase()
+
+            if (hostname == null || hostname !in hosts) {
+                call.rejectDnsValidation("Invalid Host header: $hostHeader")
+                return@onCall
+            }
+
+            if (origins != null) {
+                val origin = call.request.header(HttpHeaders.Origin)?.lowercase()
+                // Allow requests without Origin (non-browser clients cannot perform DNS rebinding)
+                if (origin != null && origin !in origins) {
+                    call.rejectDnsValidation("Invalid Origin header: $origin")
+                    return@onCall
+                }
+            }
+        }
+    }
+
+/**
+ * Responds with a 403 Forbidden JSON-RPC error without requiring ContentNegotiation.
+ */
+private suspend fun ApplicationCall.rejectDnsValidation(message: String) {
+    val error = JSONRPCError(
+        id = null,
+        error = RPCError(
+            code = RPCError.ErrorCode.CONNECTION_CLOSED,
+            message = message,
+        ),
+    )
+    respondText(
+        McpJson.encodeToString(error),
+        ContentType.Application.Json,
+        HttpStatusCode.Forbidden,
+    )
+}

kotlin-sdk-server/src/commonMain/kotlin/io/modelcontextprotocol/kotlin/sdk/server/KtorServer.kt

@@ -35,14 +35,24 @@ private val logger = KotlinLogging.logger {}
  * Use [Application.mcp] if you want SSE to be installed automatically.
  *
  * @param path the URL path to register the SSE endpoint.
+ * @param enableDnsRebindingProtection whether to install [DnsRebindingProtection] on this route. Defaults to `true`.
+ * @param allowedHosts hostnames allowed in the `Host` header. Defaults to [LOCALHOST_ALLOWED_HOSTS].
+ * @param allowedOrigins origins allowed in the `Origin` header, or `null` to skip origin validation.
  * @param block factory block with access to the [ServerSSESession]
  *      that creates and returns the [Server] to handle the connection.
  * @throws IllegalStateException if the [SSE] plugin is not installed.
  */
 @KtorDsl
-public fun Route.mcp(path: String, block: ServerSSESession.() -> Server) {
+@Suppress("LongParameterList")
+public fun Route.mcp(
+    path: String,
+    enableDnsRebindingProtection: Boolean = true,
+    allowedHosts: List<String>? = null,
+    allowedOrigins: List<String>? = null,
+    block: ServerSSESession.() -> Server,
+) {
     route(path) {
-        mcp(block)
+        mcp(enableDnsRebindingProtection, allowedHosts, allowedOrigins, block)
     }
 }
 
@@ -53,12 +63,20 @@ public fun Route.mcp(path: String, block: ServerSSESession.() -> Server) {
  * **Precondition:** the [SSE] plugin must be installed on the application before calling this function.
  * Use [Application.mcp] if you want SSE to be installed automatically.
  *
+ * @param enableDnsRebindingProtection whether to install [DnsRebindingProtection] on this route. Defaults to `true`.
+ * @param allowedHosts hostnames allowed in the `Host` header. Defaults to [LOCALHOST_ALLOWED_HOSTS].
+ * @param allowedOrigins origins allowed in the `Origin` header, or `null` to skip origin validation.
  * @param block factory block with access to the [ServerSSESession]
  *      that creates and returns the [Server] to handle the connection.
  * @throws IllegalStateException if the [SSE] plugin is not installed.
  */
 @KtorDsl
-public fun Route.mcp(block: ServerSSESession.() -> Server) {
+public fun Route.mcp(
+    enableDnsRebindingProtection: Boolean = true,
+    allowedHosts: List<String>? = null,
+    allowedOrigins: List<String>? = null,
+    block: ServerSSESession.() -> Server,
+) {
     try {
         plugin(SSE)
     } catch (e: MissingApplicationPluginException) {
@@ -70,6 +88,13 @@ public fun Route.mcp(block: ServerSSESession.() -> Server) {
         )
     }
 
+    if (enableDnsRebindingProtection) {
+        install(DnsRebindingProtection) {
+            this.allowedHosts = allowedHosts ?: LOCALHOST_ALLOWED_HOSTS
+            allowedOrigins?.let { this.allowedOrigins = it }
+        }
+    }
+
     val transportManager = TransportManager<SseServerTransport>()
 
     sse {
@@ -86,20 +111,32 @@ public fun Route.mcp(block: ServerSSESession.() -> Server) {
  * over [Server-Sent Events (SSE) Transport](https://modelcontextprotocol.io/specification/2024-11-05/basic/transports#http-with-sse)
  * and sets up routing with the provided configuration block.
  *
+ * @param enableDnsRebindingProtection whether to install [DnsRebindingProtection] on this route. Defaults to `true`.
+ * @param allowedHosts hostnames allowed in the `Host` header. Defaults to [LOCALHOST_ALLOWED_HOSTS].
+ * @param allowedOrigins origins allowed in the `Origin` header, or `null` to skip origin validation.
  * @param block factory block with access to the [ServerSSESession]
  *      that creates and returns the [Server] to handle the connection.
  */
 @KtorDsl
-public fun Application.mcp(block: ServerSSESession.() -> Server) {
+public fun Application.mcp(
+    enableDnsRebindingProtection: Boolean = true,
+    allowedHosts: List<String>? = null,
+    allowedOrigins: List<String>? = null,
+    block: ServerSSESession.() -> Server,
+) {
     install(SSE)
 
     routing {
-        mcp(block)
+        mcp(enableDnsRebindingProtection, allowedHosts, allowedOrigins, block)
     }
 }
 
+@Suppress("LongParameterList")
 private fun Application.mcpStreamableHttp(
     path: String = "/mcp",
+    enableDnsRebindingProtection: Boolean,
+    allowedHosts: List<String>?,
+    allowedOrigins: List<String>?,
     configuration: StreamableHttpServerTransport.Configuration,
     block: RoutingContext.() -> Server,
 ) {
@@ -109,6 +146,13 @@ private fun Application.mcpStreamableHttp(
 
     routing {
         route(path) {
+            if (enableDnsRebindingProtection) {
+                install(DnsRebindingProtection) {
+                    this.allowedHosts = allowedHosts ?: LOCALHOST_ALLOWED_HOSTS
+                    allowedOrigins?.let { this.allowedOrigins = it }
+                }
+            }
+
             sse {
                 val transport = existingStreamableTransport(call, transportManager) ?: return@sse
                 transport.handleRequest(this, call)
@@ -140,10 +184,11 @@ private fun Application.mcpStreamableHttp(
  * Simple request/response pairs are returned as JSON (not SSE streams).
  *
  * @param path The base path for the MCP Streamable HTTP endpoint. Defaults to "/mcp".
- * @param enableDnsRebindingProtection Enables DNS rebinding attack protection for the endpoint. Defaults to false.
- * @param allowedHosts A list of hostnames allowed to access the endpoint. If `null`, no restrictions are applied.
+ * @param enableDnsRebindingProtection Enables DNS rebinding attack protection for the endpoint. Defaults to `true`.
+ * @param allowedHosts A list of hostnames allowed to access the endpoint.
+ *          If `null` and DNS rebinding protection is enabled, defaults to [LOCALHOST_ALLOWED_HOSTS].
  * @param allowedOrigins A list of origins allowed to perform cross-origin requests (CORS).
- *          If `null`, no restrictions are applied.
+ *          If `null`, origin validation is disabled.
  * @param eventStore An optional [EventStore] instance to enable resumable event stream functionality.
  *          Allows storing and replaying events.
  * @param block factory block with access to the [RoutingContext] (for reading request headers)
@@ -153,34 +198,45 @@ private fun Application.mcpStreamableHttp(
 @Suppress("LongParameterList")
 public fun Application.mcpStreamableHttp(
     path: String = "/mcp",
-    enableDnsRebindingProtection: Boolean = false,
+    enableDnsRebindingProtection: Boolean = true,
     allowedHosts: List<String>? = null,
     allowedOrigins: List<String>? = null,
     eventStore: EventStore? = null,
     block: RoutingContext.() -> Server,
 ) {
     mcpStreamableHttp(
         path = path,
+        enableDnsRebindingProtection = enableDnsRebindingProtection,
+        allowedHosts = allowedHosts,
+        allowedOrigins = allowedOrigins,
         configuration = StreamableHttpServerTransport.Configuration(
-            enableDnsRebindingProtection = enableDnsRebindingProtection,
-            allowedHosts = allowedHosts,
-            allowedOrigins = allowedOrigins,
             eventStore = eventStore,
             enableJsonResponse = true,
         ),
         block = block,
     )
 }
 
+@Suppress("LongParameterList")
 private fun Application.mcpStatelessStreamableHttp(
     path: String = "/mcp",
+    enableDnsRebindingProtection: Boolean,
+    allowedHosts: List<String>?,
+    allowedOrigins: List<String>?,
     configuration: StreamableHttpServerTransport.Configuration,
     block: RoutingContext.() -> Server,
 ) {
     install(SSE)
 
     routing {
         route(path) {
+            if (enableDnsRebindingProtection) {
+                install(DnsRebindingProtection) {
+                    this.allowedHosts = allowedHosts ?: LOCALHOST_ALLOWED_HOSTS
+                    allowedOrigins?.let { this.allowedOrigins = it }
+                }
+            }
+
             post {
                 mcpStatelessStreamableHttpEndpoint(
                     configuration = configuration,
@@ -213,9 +269,10 @@ private fun Application.mcpStatelessStreamableHttp(
  * Simple request/response pairs are returned as JSON (not SSE streams).
  *
  * @param path The URL path where the server listens for incoming JSON-RPC requests. Defaults to "/mcp".
- * @param enableDnsRebindingProtection Determines whether DNS rebinding protection is enabled. Defaults to `false`.
- * @param allowedHosts A list of allowed hostnames. If null, host filtering is disabled.
- * @param allowedOrigins A list of allowed origins for CORS. If null, origin filtering is disabled.
+ * @param enableDnsRebindingProtection Determines whether DNS rebinding protection is enabled. Defaults to `true`.
+ * @param allowedHosts A list of allowed hostnames. If `null` and DNS rebinding protection is enabled,
+ * defaults to [LOCALHOST_ALLOWED_HOSTS].
+ * @param allowedOrigins A list of allowed origins for CORS. If `null`, origin validation is disabled.
  * @param eventStore An optional [EventStore] implementation to provide resumability and event replay support.
  * @param block factory block with access to the [RoutingContext] (for reading request headers)
  *          that creates and returns the [Server] to handle the connection.
@@ -224,18 +281,18 @@ private fun Application.mcpStatelessStreamableHttp(
 @Suppress("LongParameterList")
 public fun Application.mcpStatelessStreamableHttp(
     path: String = "/mcp",
-    enableDnsRebindingProtection: Boolean = false,
+    enableDnsRebindingProtection: Boolean = true,
     allowedHosts: List<String>? = null,
     allowedOrigins: List<String>? = null,
     eventStore: EventStore? = null,
     block: RoutingContext.() -> Server,
 ) {
     mcpStatelessStreamableHttp(
         path = path,
+        enableDnsRebindingProtection = enableDnsRebindingProtection,
+        allowedHosts = allowedHosts,
+        allowedOrigins = allowedOrigins,
         configuration = StreamableHttpServerTransport.Configuration(
-            enableDnsRebindingProtection = enableDnsRebindingProtection,
-            allowedHosts = allowedHosts,
-            allowedOrigins = allowedOrigins,
             eventStore = eventStore,
             enableJsonResponse = true,
         ),