ExMCP.Transport.HTTPServer (ex_mcp v0.10.0)

View Source

HTTP server transport for MCP with security and CORS support.

This module provides a Plug-compatible HTTP server that handles MCP requests with comprehensive security features including:

  • Origin header validation (DNS rebinding protection)
  • CORS headers with configurable policies
  • Security headers (XSS, frame options, etc.)
  • HTTPS enforcement
  • Request validation

## Usage with Phoenix

  # In your router
  scope "/mcp" do
    forward "/", ExMCP.Transport.HTTPServer,
      handler: MyMCPHandler,
      security: %{
      validate_origin: true,
      allowed_origins: ["https://app.example.com"],
      cors: %{
        allowed_methods: ["GET", "POST", "OPTIONS"],
        allowed_headers: ["Content-Type", "Authorization"],
        allow_credentials: true
      }
    }
end

Usage with Plug.Router

defmodule MyMCPRouter do
  use Plug.Router

  plug :match
  plug :dispatch

  forward "/mcp", to: ExMCP.Transport.HTTPServer,
    init_opts: [
      handler: MyMCPHandler,
      security: %{validate_origin: true}
    ]
end

Security Configuration

The :security option accepts:

  • validate_origin: boolean() - Enable origin validation (default: true)
  • allowed_origins: [String.t()] - List of allowed origins
  • allowed_hosts: [String.t()] - List of allowed host headers
  • enforce_https: boolean() - Require HTTPS for non-localhost (default: true)
  • cors: map() - CORS configuration
  • include_security_headers: boolean() - Include standard security headers (default: true)

Summary

Functions

call(conn, config)

Handles HTTP requests for MCP.

init(opts)

Initializes the HTTP server with configuration.

Functions

call(conn, config)

Handles HTTP requests for MCP.

init(opts)

Initializes the HTTP server with configuration.