fix(security): allow in-cluster service hosts for FastMCP transport validation

2026-02-19 09:58:27 +11:00
parent ab5041d4ec
commit 756ed24bfc
1 changed files with 18 additions and 1 deletions
--- a/server.py
+++ b/server.py
@@ -1,6 +1,7 @@
 import os
 import httpx
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 import psycopg
 from pgvector.psycopg import register_vector
 import uuid
@@ -16,7 +17,23 @@ EMBEDDING_DIM = 768  # BAAI/bge-base-en-v1.5

 # Initialize
 logging.basicConfig(level=logging.INFO)
-mcp = FastMCP("knowledge-mcp")
+mcp = FastMCP(
+    "knowledge-mcp",
+    host="0.0.0.0",
+    port=8000,
+    sse_path="/sse",
+    transport_security=TransportSecuritySettings(
+        enable_dns_rebinding_protection=True,
+        allowed_hosts=[
+            "localhost:*",
+            "127.0.0.1:*",
+            "knowledge-mcp:*",
+            "knowledge-mcp.knowledge-mcp.svc:*",
+            "knowledge-mcp.knowledge-mcp.svc.cluster.local:*",
+        ],
+        allowed_origins=[],
+    ),
+)

@contextmanager
 def get_db(init=False):