Skip to content

fix: add consistent CORS security warnings to example servers#1728

Open
hhhashexe wants to merge 1 commit intomodelcontextprotocol:mainfrom
hhhashexe:fix/cors-security-defaults
Open

fix: add consistent CORS security warnings to example servers#1728
hhhashexe wants to merge 1 commit intomodelcontextprotocol:mainfrom
hhhashexe:fix/cors-security-defaults

Conversation

@hhhashexe
Copy link

@hhhashexe hhhashexe commented Mar 22, 2026

Summary

Three example server files lacked the CORS security warnings that are already present in simpleStreamableHttp.ts and authServer.ts. Example code is frequently copy-pasted into production, so insecure defaults without clear warnings pose a real risk.

Closes #1683

Changes

ssePollingExample.ts

  • Before: bare app.use(cors()) — no origin restriction, no warning, no exposed headers
  • After: explicit origin: '*' with WARNING comments and exposedHeaders matching other examples

honoWebStandardStreamableHttp.ts

  • Before: origin: '*' with comment "Enable CORS for all origins" but no WARNING
  • After: consistent WARNING comments matching simpleStreamableHttp.ts pattern

elicitationUrlExample.ts

  • Before: origin: '*' with credentials: true and no warning. Note: credentials: true with wildcard origin is rejected by browsers per the CORS spec
  • After: WARNING comments added, plus a NOTE about the credentials/wildcard incompatibility

Pattern

All three files now use the same comment pattern established in simpleStreamableHttp.ts:

// Enable CORS for browser-based clients (demo only)
// WARNING: This configuration is for demo purposes only. In production, you should restrict this to specific origins and configure CORS yourself.
app.use(
    cors({
        origin: '*' // WARNING: This allows all origins to access the MCP server. In production, you should restrict this to specific origins.
    })
);

Testing

No behavior changes — only comments and the bare cors() → explicit cors({ origin: '*' }) in ssePollingExample.ts (functionally equivalent).

@hhhashexe
fix: add consistent CORS security warnings to example servers
1d841b3 
Three example servers lacked the security warnings present in
simpleStreamableHttp.ts and authServer.ts:

- ssePollingExample.ts: used bare cors() with no origin restriction
  or warning. Now uses explicit origin: '*' with WARNING comments
  and exposes required MCP headers.

- honoWebStandardStreamableHttp.ts: had origin: '*' but no WARNING
  comment indicating this is demo-only.

- elicitationUrlExample.ts: had origin: '*' with credentials: true
  (rejected by browsers per CORS spec) and no warning. Added
  WARNING comments and a NOTE about the credentials/wildcard
  incompatibility.

All three now match the comment pattern established in
simpleStreamableHttp.ts for consistency.

Closes modelcontextprotocol#1683
@hhhashexe hhhashexe requested a review from a team as a code owner March 22, 2026 01:20
@changeset-bot
Copy link

changeset-bot bot commented Mar 22, 2026

⚠️ No Changeset found

Latest commit: 1d841b3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] CORS wildcard and auth patterns in MCP server examples

1 participant

@hhhashexe