fix: enable DNS rebinding protection by default for secure-by-default

Per issue #2269, the current default disables DNS rebinding protection,
which makes MCP servers vulnerable to DNS rebinding attacks on local networks.

This change switches the default to secure-by-default (enable_dns_rebinding_protection=True),
with developers able to explicitly opt-out for backwards compatibility if needed.

Reported by @hhhashexe (SkillFence Security)

Author: Jah-yee

src/mcp/server/transport_security.py

@@ -37,8 +37,8 @@ class TransportSecurityMiddleware:
     """Middleware to enforce DNS rebinding protection for MCP transport endpoints."""
 
     def __init__(self, settings: TransportSecuritySettings | None = None):
-        # If not specified, disable DNS rebinding protection by default for backwards compatibility
-        self.settings = settings or TransportSecuritySettings(enable_dns_rebinding_protection=False)
+        # Secure by default - DNS rebinding protection enabled
+        self.settings = settings or TransportSecuritySettings(enable_dns_rebinding_protection=True)
 
     def _validate_host(self, host: str | None) -> bool:  # pragma: no cover
         """Validate the Host header against allowed values."""