auth: restrict CORS to loopback by default

Theodor N. Engøy · Theodor N. Engøy · commit d0debb63fb4a · 2026-02-08T20:13:04.000+01:00
diff --git a/src/mcp/server/auth/routes.py b/src/mcp/server/auth/routes.py
@@ -20,6 +20,8 @@
 from mcp.server.streamable_http import MCP_PROTOCOL_VERSION_HEADER
 from mcp.shared.auth import OAuthMetadata, ProtectedResourceMetadata
 
+DEFAULT_AUTH_CORS_ORIGIN_REGEX = r"^https?://(localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$"
+
 
 def validate_issuer_url(url: AnyHttpUrl):
     """Validate that the issuer URL meets OAuth 2.0 requirements.
@@ -55,10 +57,17 @@ def validate_issuer_url(url: AnyHttpUrl):
 def cors_middleware(
     handler: Callable[[Request], Response | Awaitable[Response]],
     allow_methods: list[str],
+    *,
+    allow_origin_regex: str | None = None,
 ) -> ASGIApp:
+    # Default: allow loopback browser clients (e.g., MCP Inspector) without allowing arbitrary sites.
+    if allow_origin_regex is None:
+        allow_origin_regex = DEFAULT_AUTH_CORS_ORIGIN_REGEX
+
     cors_app = CORSMiddleware(
         app=request_response(handler),
-        allow_origins="*",
+        allow_origins=[],
+        allow_origin_regex=allow_origin_regex,
         allow_methods=allow_methods,
         allow_headers=[MCP_PROTOCOL_VERSION_HEADER],
     )
@@ -71,6 +80,7 @@ def create_auth_routes(
     service_documentation_url: AnyHttpUrl | None = None,
     client_registration_options: ClientRegistrationOptions | None = None,
     revocation_options: RevocationOptions | None = None,
+    cors_origin_regex: str | None = None,
 ) -> list[Route]:
     validate_issuer_url(issuer_url)
 
@@ -94,6 +104,7 @@ def create_auth_routes(
             endpoint=cors_middleware(
                 MetadataHandler(metadata).handle,
                 ["GET", "OPTIONS"],
+                allow_origin_regex=cors_origin_regex,
             ),
             methods=["GET", "OPTIONS"],
         ),
@@ -109,6 +120,7 @@ def create_auth_routes(
             endpoint=cors_middleware(
                 TokenHandler(provider, client_authenticator).handle,
                 ["POST", "OPTIONS"],
+                allow_origin_regex=cors_origin_regex,
             ),
             methods=["POST", "OPTIONS"],
         ),
@@ -125,6 +137,7 @@ def create_auth_routes(
                 endpoint=cors_middleware(
                     registration_handler.handle,
                     ["POST", "OPTIONS"],
+                    allow_origin_regex=cors_origin_regex,
                 ),
                 methods=["POST", "OPTIONS"],
             )
@@ -138,6 +151,7 @@ def create_auth_routes(
                 endpoint=cors_middleware(
                     revocation_handler.handle,
                     ["POST", "OPTIONS"],
+                    allow_origin_regex=cors_origin_regex,
                 ),
                 methods=["POST", "OPTIONS"],
             )
diff --git a/src/mcp/server/auth/settings.py b/src/mcp/server/auth/settings.py
@@ -21,6 +21,14 @@ class AuthSettings(BaseModel):
     client_registration_options: ClientRegistrationOptions | None = None
     revocation_options: RevocationOptions | None = None
     required_scopes: list[str] | None = None
+    cors_origin_regex: str | None = Field(
+        default=None,
+        description=(
+            "Regex for allowed browser Origin values on the authorization server endpoints "
+            "(/token, /register, /.well-known/oauth-authorization-server, etc). "
+            "If unset, a safe default allows only loopback origins (localhost/127.0.0.1/[::1])."
+        ),
+    )
 
     # Resource Server settings (when operating as RS only)
     resource_server_url: AnyHttpUrl | None = Field(
diff --git a/src/mcp/server/lowlevel/server.py b/src/mcp/server/lowlevel/server.py
@@ -867,6 +867,7 @@ def streamable_http_app(
                         service_documentation_url=auth.service_documentation_url,
                         client_registration_options=auth.client_registration_options,
                         revocation_options=auth.revocation_options,
+                        cors_origin_regex=auth.cors_origin_regex,
                     )
                 )
 
diff --git a/src/mcp/server/mcpserver/server.py b/src/mcp/server/mcpserver/server.py
@@ -840,6 +840,7 @@ async def handle_sse(scope: Scope, receive: Receive, send: Send):  # pragma: no
                         service_documentation_url=self.settings.auth.service_documentation_url,
                         client_registration_options=self.settings.auth.client_registration_options,
                         revocation_options=self.settings.auth.revocation_options,
+                        cors_origin_regex=self.settings.auth.cors_origin_regex,
                     )
                 )
 
diff --git a/tests/server/mcpserver/auth/test_auth_integration.py b/tests/server/mcpserver/auth/test_auth_integration.py
@@ -22,6 +22,7 @@
     construct_redirect_uri,
 )
 from mcp.server.auth.routes import ClientRegistrationOptions, RevocationOptions, create_auth_routes
+from mcp.server.streamable_http import MCP_PROTOCOL_VERSION_HEADER
 from mcp.shared.auth import OAuthClientInformationFull, OAuthToken
 
 
@@ -325,6 +326,40 @@ async def test_metadata_endpoint(self, test_client: httpx.AsyncClient):
         ]
         assert metadata["service_documentation"] == "https://docs.example.com/"
 
+    @pytest.mark.anyio
+    async def test_cors_allows_loopback_origin_by_default(self, test_client: httpx.AsyncClient):
+        origin = "http://localhost:5173"
+        response = await test_client.get(
+            "/.well-known/oauth-authorization-server",
+            headers={"Origin": origin},
+        )
+        assert response.status_code == 200
+        assert response.headers.get("access-control-allow-origin") == origin
+
+    @pytest.mark.anyio
+    async def test_cors_blocks_non_loopback_origin_by_default(self, test_client: httpx.AsyncClient):
+        origin = "https://evil.example"
+        response = await test_client.get(
+            "/.well-known/oauth-authorization-server",
+            headers={"Origin": origin},
+        )
+        assert response.status_code == 200
+        assert "access-control-allow-origin" not in response.headers
+
+    @pytest.mark.anyio
+    async def test_cors_preflight_allows_loopback_origin_by_default(self, test_client: httpx.AsyncClient):
+        origin = "http://127.0.0.1:3000"
+        response = await test_client.options(
+            "/token",
+            headers={
+                "Origin": origin,
+                "Access-Control-Request-Method": "POST",
+                "Access-Control-Request-Headers": MCP_PROTOCOL_VERSION_HEADER,
+            },
+        )
+        assert response.status_code == 200
+        assert response.headers.get("access-control-allow-origin") == origin
+
     @pytest.mark.anyio
     async def test_token_validation_error(self, test_client: httpx.AsyncClient):
         """Test token endpoint error - validation error."""

Original file line number	Diff line number	Diff line change
`@@ -867,6 +867,7 @@ def streamable_http_app(`
`867`	`867`	`service_documentation_url=auth.service_documentation_url,`
`868`	`868`	`client_registration_options=auth.client_registration_options,`
`869`	`869`	`revocation_options=auth.revocation_options,`
	`870`	`+ cors_origin_regex=auth.cors_origin_regex,`
`870`	`871`	`)`
`871`	`872`	`)`
`872`	`873`
Original file line number	Diff line number	Diff line change
`@@ -840,6 +840,7 @@ async def handle_sse(scope: Scope, receive: Receive, send: Send): # pragma: no`
`840`	`840`	`service_documentation_url=self.settings.auth.service_documentation_url,`
`841`	`841`	`client_registration_options=self.settings.auth.client_registration_options,`
`842`	`842`	`revocation_options=self.settings.auth.revocation_options,`
	`843`	`+ cors_origin_regex=self.settings.auth.cors_origin_regex,`
`843`	`844`	`)`
`844`	`845`	`)`
`845`	`846`