Address code review feedback

- Tighten DNS rebinding protection to only exact matches for localhost and 127.0.0.1
- Improve pragma comment to explain SEP-1330 backward compatibility requirement

Co-authored-by: eiriktsarpalis <2813363+eiriktsarpalis@users.noreply.github.com>

Author: Copilot

tests/ModelContextProtocol.ConformanceServer/Program.cs

@@ -101,9 +101,8 @@ public static async Task MainAsync(string[] args, ILoggerProvider? loggerProvide
             var hostHeader = port.HasValue ? $"{host}:{port.Value}" : host;
 
             // Allow localhost and 127.0.0.1 on any port for conformance testing
-            // In production, this should be more restrictive
-            var allowed = host == "localhost" || host == "127.0.0.1" || 
-                          host.StartsWith("localhost.") || host.StartsWith("127.0.0.1.");
+            // In production, this should be more restrictive with specific allowed hosts
+            var allowed = host == "localhost" || host == "127.0.0.1";
 
             if (!allowed)
             {

tests/ModelContextProtocol.ConformanceServer/Tools/ConformanceTools.cs

@@ -350,7 +350,8 @@ public static async Task<string> ElicitationSep1330Enums(
                         ]
                     },
                     // 3. Legacy titled enum (deprecated - enum + enumNames)
-#pragma warning disable MCP9001 // Required for SEP-1330 conformance testing
+                    // Required for SEP-1330 conformance testing - tests backward compatibility with legacy enum format
+#pragma warning disable MCP9001
                     ["legacy_titled"] = new ElicitRequestParams.LegacyTitledEnumSchema()
 #pragma warning restore MCP9001
                     {