Skip to content

feat(http): log Host/Origin rejections#826

Merged
alexhancock merged 1 commit intomainfrom
log-dns-rebinding-rejections
May 1, 2026
Merged

feat(http): log Host/Origin rejections#826
alexhancock merged 1 commit intomainfrom
log-dns-rebinding-rejections

Conversation

@DaleSeo
Copy link
Copy Markdown
Member

@DaleSeo DaleSeo commented Apr 30, 2026

Motivation and Context

The StreamableHttpService rejects requests due to Host or Origin validation failures, returning HTTP 400 or 403 responses. However, it doesn't emit a tracing event, which makes log-based alerting for DNS-rebinding attempts impossible. The only signal at the application layer is the HTTP status, but it doesn't include the rejected Host value.
This PR adds a tracing::warn! at each rejection point in parse_host_header, validate_dns_rebinding_headers, and validate_origin_header. This way, operators can detect and investigate potential DNS-rebinding or cross-origin attempts. The change is purely additive, meaning it doesn't alter any behavior, status codes, or response bodies.

How Has This Been Tested?

The existing integration tests continue to pass.

Breaking Changes

None. Logging-only addition

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

@DaleSeo DaleSeo requested a review from a team as a code owner April 30, 2026 19:02
@DaleSeo DaleSeo self-assigned this Apr 30, 2026
@github-actions github-actions Bot added T-core Core library changes T-transport Transport layer changes labels Apr 30, 2026
@alexhancock alexhancock merged commit 4cf7873 into main May 1, 2026
18 checks passed
@alexhancock alexhancock deleted the log-dns-rebinding-rejections branch May 1, 2026 12:42
@github-actions github-actions Bot mentioned this pull request Apr 23, 2026
Merged
@DaleSeo DaleSeo mentioned this pull request May 1, 2026
Open
@claude claude Bot mentioned this pull request May 1, 2026
Merged
1 task
jrmelsha added a commit to UserGeneratedLLC/rmcp-rust-sdk that referenced this pull request May 1, 2026
@jrmelsha
Merge remote-tracking branch 'upstream/main'
85b81da 
Brings in upstream rmcp v1.6.0:
- fix(http): fall back to :authority for HTTP/2 (modelcontextprotocol#827)
- fix: add init_timeout for streamable-http sessions (modelcontextprotocol#811)
- feat(http): log Host/Origin rejections (modelcontextprotocol#826)

Conflict resolution:
- crates/rmcp/CHANGELOG.md: kept fork's bare-boolean Unreleased entry,
  inserted upstream's 1.6.0 release section beneath it
- crates/rmcp/src/transport/streamable_http_server/tower.rs:
  auto-merged upstream's Host/Origin/HTTP-2 logging additions; kept
  fork's tracing::debug! for "Resume failed" (ab4ccdb) over upstream's
  tracing::warn! revert
- Cargo.toml workspace bumped to 1.6.0; fork's newer dep versions
  (pastey 0.2.2, schemars 1.2, reqwest 0.13.3, url 2.5,
  process-wrap 9.1, chrono 0.4.44) preserved; rand stays removed
  (ed5868d) since fork doesn't use it
- docs.rs anthropic-ext feature retained
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexhancock alexhancock alexhancock approved these changes

Assignees

@DaleSeo DaleSeo

Labels

T-core Core library changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DaleSeo @alexhancock