This guide helps you resolve common issues when using the MCP Python SDK.
A recent update introduced DNS rebinding protection to the MCP Python SDK. While this improves security, it may cause existing setups to fail with a 421 Misdirected Request / Invalid Host Header error if the host header doesn't match the allowed list (common when using proxies, gateways, or custom domains).
Depending on your security requirements, you can resolve this in two ways:
Use this approach if you are running in production or through a gateway. You can wildcard the ports using *.
from mcp.server.fastmcp import FastMCP
from mcp.server.transport_security import TransportSecuritySettings
mcp = FastMCP(
"MyServer",
transport_security=TransportSecuritySettings(
enable_dns_rebinding_protection=True,
# Add your specific gateway or domain here
allowed_hosts=["localhost:*", "127.0.0.1:*", "your-gateway-host:*"],
allowed_origins=["http://localhost:*", "http://your-gateway-host:*"],
)
)Use this approach for local development or if you are managing security at a different layer of your infrastructure.
from mcp.server.fastmcp import FastMCP
from mcp.server.transport_security import TransportSecuritySettings
mcp = FastMCP(
"MyServer",
transport_security=TransportSecuritySettings(
enable_dns_rebinding_protection=False,
)
)If you are using a reverse proxy (like Nginx or Caddy), ensure your proxy is passing the correct Host header to the MCP server.
Nginx example:
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}Caddy example:
reverse_proxy localhost:8000 {
header_up Host {upstream_hostport}
}