feat: add disablecontenttypecheck MCPGODEBUG option to skip Content-Type validation on POST requests

guglielmo-san · guglielmo-san · commit da993241e71c · 2026-05-22T10:29:42.000Z
diff --git a/docs/mcpgodebug.md b/docs/mcpgodebug.md
@@ -18,6 +18,15 @@
 
 ## `MCPGODEBUG` history
 
+### 1.6.1
+
+Options listed below were added and will be removed in the 1.8.0 version of the SDK.
+
+- `disablecontenttypecheck` added. If set to `1`, Content-Type validation on
+  HTTP POST requests will be disabled, allowing requests with non-JSON or missing
+  Content-Type headers. The default behavior is to validate that HTTP POST
+  requests have Content-Type: application/json.
+
 ### 1.6.0
 
 Options listed below were added and will be removed in the 1.8.0 version of the SDK.
diff --git a/internal/docs/mcpgodebug.src.md b/internal/docs/mcpgodebug.src.md
@@ -17,6 +17,15 @@
 
 ## `MCPGODEBUG` history
 
+### 1.6.1
+
+Options listed below were added and will be removed in the 1.8.0 version of the SDK.
+
+- `disablecontenttypecheck` added. If set to `1`, Content-Type validation on
+  HTTP POST requests will be disabled, allowing requests with non-JSON or missing
+  Content-Type headers. The default behavior is to validate that HTTP POST
+  requests have Content-Type: application/json.
+
 ### 1.6.0
 
 Options listed below were added and will be removed in the 1.8.0 version of the SDK.
diff --git a/mcp/sse.go b/mcp/sse.go
@@ -202,7 +202,7 @@ func (h *SSEHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	}
 
 	// Validate 'Content-Type' header.
-	if req.Method == http.MethodPost {
+	if disablecontenttypecheck != "1" && req.Method == http.MethodPost {
 		mediaType, _, err := mime.ParseMediaType(req.Header.Get("Content-Type"))
 		if err != nil || mediaType != "application/json" {
 			http.Error(w, "Content-Type must be 'application/json'", http.StatusUnsupportedMediaType)
diff --git a/mcp/streamable.go b/mcp/streamable.go
@@ -246,6 +246,12 @@ var disablelocalhostprotection = mcpgodebug.Value("disablelocalhostprotection")
 // The option will be removed in the 1.8.0 version of the SDK.
 var enableoriginverification = mcpgodebug.Value("enableoriginverification")
 
+// disablecontenttypecheck is a compatibility parameter that allows to disable
+// Content-Type validation on POST requests.
+// See the documentation for the mcpgodebug package for instructions how to enable it.
+// The option will be removed in the 1.8.0 version of the SDK.
+var disablecontenttypecheck = mcpgodebug.Value("disablecontenttypecheck")
+
 func (h *StreamableHTTPHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	// DNS rebinding protection: auto-enabled for localhost servers.
 	// See: https://modelcontextprotocol.io/specification/2025-11-25/basic/security_best_practices#local-mcp-server-compromise
@@ -267,7 +273,7 @@ func (h *StreamableHTTPHandler) ServeHTTP(w http.ResponseWriter, req *http.Reque
 	}
 
 	// Validate 'Content-Type' header.
-	if req.Method == http.MethodPost && baseMediaType(req.Header.Get("Content-Type")) != "application/json" {
+	if disablecontenttypecheck != "1" && req.Method == http.MethodPost && baseMediaType(req.Header.Get("Content-Type")) != "application/json" {
 		http.Error(w, "Content-Type must be 'application/json'", http.StatusUnsupportedMediaType)
 		return
 	}

Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ func (h SSEHandler) ServeHTTP(w http.ResponseWriter, req http.Request) {`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`// Validate 'Content-Type' header.`
`205`		`- if req.Method == http.MethodPost {`
	`205`	`+ if disablecontenttypecheck != "1" && req.Method == http.MethodPost {`
`206`	`206`	`mediaType, _, err := mime.ParseMediaType(req.Header.Get("Content-Type"))`
`207`	`207`	`if err != nil \|\| mediaType != "application/json" {`
`208`	`208`	`http.Error(w, "Content-Type must be 'application/json'", http.StatusUnsupportedMediaType)`