examples: restrict demo CORS to loopback

Theodor N. Engøy · Theodor N. Engøy · commit 5c9187624e35 · 2026-02-08T11:10:19.000+01:00
diff --git a/examples/server/src/elicitationUrlExample.ts b/examples/server/src/elicitationUrlExample.ts
@@ -221,12 +221,32 @@ const AUTH_PORT = process.env.MCP_AUTH_PORT ? Number.parseInt(process.env.MCP_AU
 
 const app = createMcpExpressApp({ host: MCP_HOST });
 
-// Allow CORS all domains, expose the Mcp-Session-Id header
+const DEFAULT_CORS_ORIGIN_REGEX = /^https?:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/;
+
+let corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+if (process.env.MCP_CORS_ORIGIN_REGEX) {
+    try {
+        corsOriginRegex = new RegExp(process.env.MCP_CORS_ORIGIN_REGEX);
+    } catch (error) {
+        const msg =
+            error && typeof error === 'object' && 'message' in error ? String((error as { message: unknown }).message) : String(error);
+        console.warn(`Invalid MCP_CORS_ORIGIN_REGEX (${process.env.MCP_CORS_ORIGIN_REGEX}): ${msg}`);
+        corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+    }
+}
+
+// CORS: allow only loopback origins by default (typical for local dev / Inspector direct connect).
+// If you intentionally expose this demo remotely, set MCP_CORS_ORIGIN_REGEX explicitly.
+// Also expose the Mcp-Session-Id header.
 app.use(
     cors({
-        origin: '*', // Allow all origins
+        origin: (origin, cb) => {
+            // Allow non-browser clients (no Origin header).
+            if (!origin) return cb(null, true);
+            return cb(null, corsOriginRegex.test(origin));
+        },
         exposedHeaders: ['Mcp-Session-Id'],
-        credentials: true // Allow cookies to be sent cross-origin
+        credentials: true
     })
 );
 
diff --git a/examples/server/src/honoWebStandardStreamableHttp.ts b/examples/server/src/honoWebStandardStreamableHttp.ts
@@ -41,11 +41,29 @@ const transport = new WebStandardStreamableHTTPServerTransport();
 // Create the Hono app
 const app = new Hono();
 
-// Enable CORS for all origins
+const DEFAULT_CORS_ORIGIN_REGEX = /^https?:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/;
+
+let corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+if (process.env.MCP_CORS_ORIGIN_REGEX) {
+    try {
+        corsOriginRegex = new RegExp(process.env.MCP_CORS_ORIGIN_REGEX);
+    } catch (error) {
+        const msg =
+            error && typeof error === 'object' && 'message' in error ? String((error as { message: unknown }).message) : String(error);
+        console.warn(`Invalid MCP_CORS_ORIGIN_REGEX (${process.env.MCP_CORS_ORIGIN_REGEX}): ${msg}`);
+        corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+    }
+}
+
+// CORS: allow only loopback origins by default (typical for local dev / Inspector direct connect).
+// If you intentionally expose this demo remotely, set MCP_CORS_ORIGIN_REGEX explicitly.
 app.use(
     '*',
     cors({
-        origin: '*',
+        origin: (origin, _c) => {
+            if (!origin) return null;
+            return corsOriginRegex.test(origin) ? origin : null;
+        },
         allowMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
         allowHeaders: ['Content-Type', 'mcp-session-id', 'Last-Event-ID', 'mcp-protocol-version'],
         exposeHeaders: ['mcp-session-id', 'mcp-protocol-version']
diff --git a/examples/server/src/simpleStreamableHttp.ts b/examples/server/src/simpleStreamableHttp.ts
@@ -503,13 +503,31 @@ const AUTH_PORT = process.env.MCP_AUTH_PORT ? Number.parseInt(process.env.MCP_AU
 
 const app = createMcpExpressApp({ host: MCP_HOST });
 
-// Enable CORS for browser-based clients (demo only)
-// This allows cross-origin requests and exposes WWW-Authenticate header for OAuth
-// WARNING: This configuration is for demo purposes only. In production, you should restrict this to specific origins and configure CORS yourself.
+const DEFAULT_CORS_ORIGIN_REGEX = /^https?:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/;
+
+let corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+if (process.env.MCP_CORS_ORIGIN_REGEX) {
+    try {
+        corsOriginRegex = new RegExp(process.env.MCP_CORS_ORIGIN_REGEX);
+    } catch (error) {
+        const msg =
+            error && typeof error === 'object' && 'message' in error ? String((error as { message: unknown }).message) : String(error);
+        console.warn(`Invalid MCP_CORS_ORIGIN_REGEX (${process.env.MCP_CORS_ORIGIN_REGEX}): ${msg}`);
+        corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+    }
+}
+
+// CORS: allow only loopback origins by default (typical for local dev / Inspector direct connect).
+// If you intentionally expose this demo remotely, set MCP_CORS_ORIGIN_REGEX explicitly.
+// This also exposes WWW-Authenticate for OAuth flows.
 app.use(
     cors({
         exposedHeaders: ['WWW-Authenticate', 'Mcp-Session-Id', 'Last-Event-Id', 'Mcp-Protocol-Version'],
-        origin: '*' // WARNING: This allows all origins to access the MCP server. In production, you should restrict this to specific origins.
+        origin: (origin, cb) => {
+            // Allow non-browser clients (no Origin header).
+            if (!origin) return cb(null, true);
+            return cb(null, corsOriginRegex.test(origin));
+        }
     })
 );
 
diff --git a/examples/shared/src/authServer.ts b/examples/shared/src/authServer.ts
@@ -38,6 +38,30 @@ export interface SetupAuthServerOptions {
 let globalAuth: DemoAuth | null = null;
 let demoUserCreated = false;
 
+const DEFAULT_CORS_ORIGIN_REGEX = /^https?:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(?::\d+)?$/;
+
+function buildCorsMiddleware(): ReturnType<typeof cors> {
+    let corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+    if (process.env.MCP_CORS_ORIGIN_REGEX) {
+        try {
+            corsOriginRegex = new RegExp(process.env.MCP_CORS_ORIGIN_REGEX);
+        } catch (error) {
+            const msg =
+                error && typeof error === 'object' && 'message' in error ? String((error as { message: unknown }).message) : String(error);
+            console.warn(`Invalid MCP_CORS_ORIGIN_REGEX (${process.env.MCP_CORS_ORIGIN_REGEX}): ${msg}`);
+            corsOriginRegex = DEFAULT_CORS_ORIGIN_REGEX;
+        }
+    }
+
+    return cors({
+        origin: (origin, cb) => {
+            // Allow non-browser clients (no Origin header).
+            if (!origin) return cb(null, true);
+            return cb(null, corsOriginRegex.test(origin));
+        }
+    });
+}
+
 /**
  * Gets the global auth instance (must call setupAuthServer first)
  */
@@ -102,13 +126,11 @@ export function setupAuthServer(options: SetupAuthServerOptions): void {
     // Create Express app for auth server
     const authApp = express();
 
-    // Enable CORS for all origins (demo only) - must be before other middleware
-    // WARNING: This configuration is for demo purposes only. In production, you should restrict this to specific origins and configure CORS yourself.
-    authApp.use(
-        cors({
-            origin: '*' // WARNING: This allows all origins to access the auth server. In production, you should restrict this to specific origins.
-        })
-    );
+    // CORS: allow only loopback origins by default (typical for local dev / Inspector direct connect).
+    // If you intentionally expose this demo remotely, set MCP_CORS_ORIGIN_REGEX explicitly.
+    // Must be before other middleware.
+    const corsMw = buildCorsMiddleware();
+    authApp.use(corsMw);
 
     // Create better-auth handler
     // toNodeHandler bypasses Express methods
@@ -163,8 +185,8 @@ export function setupAuthServer(options: SetupAuthServerOptions): void {
 
     // OAuth metadata endpoints using better-auth's built-in handlers
     // Add explicit OPTIONS handler for CORS preflight
-    authApp.options('/.well-known/oauth-authorization-server', cors());
-    authApp.get('/.well-known/oauth-authorization-server', cors(), toNodeHandler(oAuthDiscoveryMetadata(auth)));
+    authApp.options('/.well-known/oauth-authorization-server', corsMw);
+    authApp.get('/.well-known/oauth-authorization-server', corsMw, toNodeHandler(oAuthDiscoveryMetadata(auth)));
 
     // Body parsers for non-better-auth routes (like /sign-in)
     const maxBodyBytes = 100 * 1024; // Make the default explicit to avoid accidental large-body DoS.
@@ -273,14 +295,15 @@ export function setupAuthServer(options: SetupAuthServerOptions): void {
 export function createProtectedResourceMetadataRouter(resourcePath = '/mcp'): Router {
     const auth = getAuth();
     const router = express.Router();
+    const corsMw = buildCorsMiddleware();
 
     // Construct the metadata path per RFC 9728 Section 3
     const metadataPath = `/.well-known/oauth-protected-resource${resourcePath}`;
 
     // Enable CORS for browser-based clients to discover the auth server
     // Add explicit OPTIONS handler for CORS preflight
-    router.options(metadataPath, cors());
-    router.get(metadataPath, cors(), toNodeHandler(oAuthProtectedResourceMetadata(auth)));
+    router.options(metadataPath, corsMw);
+    router.get(metadataPath, corsMw, toNodeHandler(oAuthProtectedResourceMetadata(auth)));
 
     return router;
 }
