Add Origin header validation middleware

ToolHive's proxy layer had no Origin-header validation, and the legacy
HTTP+SSE transport sent `Access-Control-Allow-Origin: *`, leaving both
modes open to DNS-rebinding attacks from browser clients. MCP 2025-11-25
§"Security Warning" requires servers to validate Origin on all
connections and respond 403 when the value is invalid.

This change introduces a dedicated middleware at
pkg/transport/middleware/origin/ that rejects requests whose Origin
header is present and not in an operator-configured allowlist. It is
wired centrally in runner.Run for both the factory-based chain
(thv run / thv-proxyrunner) and inline in the `thv proxy` chain.

Wiring is done in runner.Run rather than in the builder because that is
the only point where the effective Host/Port/AllowedOrigins are fully
resolved: the CLI builder (WithMiddlewareFromFlags) defers port
resolution to validateConfig, so an earlier hook would see port 0 and
silently disable loopback-default protection for `thv run`. The
middleware is prepended so Origin validation runs first in the chain.

Behavior:
- New --allowed-origins flag on `thv run` and `thv proxy` accepts a
  repeatable exact-match list. When empty and the bind host is
  loopback, a default loopback-only allowlist is derived automatically
  (http://localhost:PORT + 127.0.0.1 + [::1]). When empty and the
  bind is non-loopback, the middleware is skipped and a warning is
  logged — the bind-opt-in hardening lands in a follow-up.
- Matching parses each value with net/url and compares scheme://host
  [:port] with scheme and host lowercased per RFC 6454 §4. Values
  carrying userinfo (RFC 6454 §6) or that fail to parse never match,
  closing an Origin-smuggling vector. Requests with multiple Origin
  headers are rejected outright.
- 403 responses carry a JSON-RPC error body (id: null, code -32600,
  message "Origin not allowed").
- `Access-Control-Allow-Origin: *` removed from the httpsse SSE
  handler; the wildcard would have neutered any Origin enforcement
  via preflight response inheritance.

Operator CRDs (MCPServer/MCPRemoteProxy/VirtualMCPServer) do not yet
expose an allowedOrigins field, and vMCP composes its own middleware
chain that does not reference this package. Both are deferred to
follow-ups; until then operator/vMCP non-loopback deployments log the
WARN above rather than enforcing.

Closes audit row 5 (Origin validation absent).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

Author: JAORMX

cmd/thv/app/proxy.go

@@ -24,6 +24,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange"
 	"github.com/stacklok/toolhive/pkg/transport"
 	"github.com/stacklok/toolhive/pkg/transport/middleware"
+	"github.com/stacklok/toolhive/pkg/transport/middleware/origin"
 	"github.com/stacklok/toolhive/pkg/transport/proxy/transparent"
 	"github.com/stacklok/toolhive/pkg/transport/types"
 )
@@ -110,9 +111,10 @@ Dynamic client registration (automatic OAuth client setup):
 }
 
 var (
-	proxyHost      string
-	proxyPort      int
-	proxyTargetURI string
+	proxyHost           string
+	proxyPort           int
+	proxyTargetURI      string
+	proxyAllowedOrigins []string
 
 	resourceURL string // Explicit resource URL for OAuth discovery endpoint (RFC 9728)
 
@@ -133,6 +135,10 @@ const (
 func init() {
 	proxyCmd.Flags().StringVar(&proxyHost, "host", transport.LocalhostIPv4, "Host for the HTTP proxy to listen on (IP or hostname)")
 	proxyCmd.Flags().IntVar(&proxyPort, "port", 0, "Port for the HTTP proxy to listen on (host port)")
+	proxyCmd.Flags().StringArrayVar(&proxyAllowedOrigins, "allowed-origins", nil,
+		"Exact-match allowlist for the HTTP Origin header (repeatable). Recommended when binding publicly; "+
+			"loopback binds derive a default allowlist automatically, non-loopback binds log a warning when "+
+			"no value is supplied. Example: https://my-mcp.example.com")
 	proxyCmd.Flags().StringVar(
 		&proxyTargetURI,
 		"target-uri",
@@ -226,6 +232,22 @@ func proxyCmdFunc(cmd *cobra.Command, args []string) error {
 	// Create middlewares slice for incoming request authentication
 	var middlewares []types.NamedMiddleware
 
+	// Origin-header validation (DNS-rebinding protection per MCP 2025-11-25
+	// §"Security Warning"). Added first so disallowed Origins are rejected
+	// before authentication or any outbound token acquisition runs.
+	if allowed := origin.ResolveAllowedOrigins(proxyHost, port, proxyAllowedOrigins); len(allowed) > 0 {
+		middlewares = append(middlewares, types.NamedMiddleware{
+			Name:     origin.MiddlewareType,
+			Function: origin.NewHandler(allowed),
+		})
+	} else {
+		slog.Warn("Origin validation disabled — no allowlist configured for non-loopback bind",
+			"host", proxyHost,
+			"port", port,
+			"hint", "pass --allowed-origins=https://your-client.example to enable DNS-rebind protection",
+		)
+	}
+
 	// Get OIDC configuration if enabled (for protecting the proxy endpoint)
 	oidcConfig := getProxyOIDCConfig(cmd)
 

cmd/thv/app/run_flags.go

@@ -141,6 +141,12 @@ type RunFlags struct {
 	RemoteForwardHeaders       []string
 	RemoteForwardHeadersSecret []string
 
+	// AllowedOrigins is the HTTP Origin-header allowlist for DNS-rebinding protection
+	// (MCP 2025-11-25 §"Security Warning"). Empty with a loopback host auto-derives
+	// loopback-only defaults; empty with a non-loopback host disables the check
+	// (operator must supply explicit origins for public bind).
+	AllowedOrigins []string
+
 	// Runtime configuration
 	RuntimeImage       string
 	RuntimeAddPackages []string
@@ -160,6 +166,10 @@ func AddRunFlags(cmd *cobra.Command, config *RunFlags) {
 	cmd.Flags().StringVar(&config.Name, "name", "", "Name of the MCP server (default to auto-generated from image)")
 	cmd.Flags().StringVar(&config.Group, "group", "default", "Name of the group this workload should belong to")
 	cmd.Flags().StringVar(&config.Host, "host", transport.LocalhostIPv4, "Host for the HTTP proxy to listen on (IP or hostname)")
+	cmd.Flags().StringArrayVar(&config.AllowedOrigins, "allowed-origins", nil,
+		"Exact-match allowlist for the HTTP Origin header (repeatable). Recommended when binding publicly; "+
+			"loopback binds derive a default allowlist automatically, non-loopback binds log a warning when "+
+			"no value is supplied. Example: https://my-mcp.example.com")
 	cmd.Flags().IntVar(&config.ProxyPort, "proxy-port", 0, "Port for the HTTP proxy to listen on (host port)")
 	cmd.Flags().IntVar(&config.TargetPort, "target-port", 0,
 		"Port for the container to expose (only applicable to SSE or Streamable HTTP transport)")
@@ -685,6 +695,7 @@ func buildRunnerConfig(
 			PrintOverlays: runFlags.PrintOverlays,
 		}),
 		runner.WithPublish(runFlags.Publish),
+		runner.WithAllowedOrigins(runFlags.AllowedOrigins),
 	}
 	opts = append(opts, extraOpts...)
 

docs/cli/thv_proxy.md

@@ -103,6 +103,14 @@ type RunConfig struct {
 	// TargetHost is the host to forward traffic to (only applicable to SSE transport)
 	TargetHost string `json:"target_host,omitempty" yaml:"target_host,omitempty"`
 
+	// AllowedOrigins is the allowlist of values accepted on the HTTP Origin header,
+	// used for DNS-rebinding protection per MCP 2025-11-25 §"Security Warning".
+	// When empty and Host is loopback (127.0.0.1 / localhost / [::1]), a default
+	// loopback-only allowlist is derived at middleware-wiring time.
+	// When empty and Host is non-loopback, the middleware is disabled — operators
+	// exposing the proxy publicly must configure an explicit allowlist.
+	AllowedOrigins []string `json:"allowed_origins,omitempty" yaml:"allowed_origins,omitempty"`
+
 	// Publish lists ports to publish to the host in format "hostPort:containerPort"
 	Publish []string `json:"publish,omitempty" yaml:"publish,omitempty"`
 

docs/cli/thv_run.md

@@ -331,6 +331,18 @@ func WithAllowDockerGateway(allow bool) RunConfigBuilderOption {
 	}
 }
 
+// WithAllowedOrigins sets the HTTP Origin-header allowlist used for
+// DNS-rebinding protection (MCP 2025-11-25 §"Security Warning").
+// An empty slice defers the choice to middleware wiring, which derives a
+// loopback-only default when the bind host is loopback and otherwise leaves
+// the middleware disabled.
+func WithAllowedOrigins(origins []string) RunConfigBuilderOption {
+	return func(b *runConfigBuilder) error {
+		b.config.AllowedOrigins = origins
+		return nil
+	}
+}
+
 // WithTrustProxyHeaders sets whether to trust X-Forwarded-* headers from reverse proxies
 func WithTrustProxyHeaders(trust bool) RunConfigBuilderOption {
 	return func(b *runConfigBuilder) error {

docs/server/docs.go

@@ -5,6 +5,7 @@ package runner
 
 import (
 	"fmt"
+	"log/slog"
 
 	"github.com/stacklok/toolhive/pkg/audit"
 	"github.com/stacklok/toolhive/pkg/auth"
@@ -21,6 +22,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/recovery"
 	"github.com/stacklok/toolhive/pkg/telemetry"
 	headerfwd "github.com/stacklok/toolhive/pkg/transport/middleware"
+	"github.com/stacklok/toolhive/pkg/transport/middleware/origin"
 	"github.com/stacklok/toolhive/pkg/transport/types"
 	"github.com/stacklok/toolhive/pkg/usagemetrics"
 	"github.com/stacklok/toolhive/pkg/webhook/mutating"
@@ -45,6 +47,7 @@ func GetSupportedMiddlewareFactories() map[string]types.MiddlewareFactory {
 		audit.MiddlewareType:                  audit.CreateMiddleware,
 		recovery.MiddlewareType:               recovery.CreateMiddleware,
 		headerfwd.HeaderForwardMiddlewareName: headerfwd.CreateMiddleware,
+		origin.MiddlewareType:                 origin.CreateMiddleware,
 		validating.MiddlewareType:             validating.CreateMiddleware,
 		mutating.MiddlewareType:               mutating.CreateMiddleware,
 	}
@@ -57,22 +60,28 @@ func GetSupportedMiddlewareFactories() map[string]types.MiddlewareFactory {
 func PopulateMiddlewareConfigs(config *RunConfig) error {
 	var middlewareConfigs []types.MiddlewareConfig
 	// TODO: Consider extracting other middleware setup into helper functions like addUsageMetricsMiddleware
+	//
+	// NOTE: Origin-validation middleware is intentionally NOT added here. It is
+	// wired centrally in runner.Run (via prependOriginMiddleware) for both the
+	// operator/proxyrunner path (this function) and the CLI path
+	// (WithMiddlewareFromFlags), because that is the only place where the
+	// effective Host/Port/AllowedOrigins are fully resolved.
 
 	// Authentication middleware (always present)
 	authParams := auth.MiddlewareParams{
 		OIDCConfig: config.OIDCConfig,
 	}
-	authConfig, err := types.NewMiddlewareConfig(auth.MiddlewareType, authParams)
-	if err != nil {
-		return fmt.Errorf("failed to create auth middleware config: %w", err)
+	authConfig, authErr := types.NewMiddlewareConfig(auth.MiddlewareType, authParams)
+	if authErr != nil {
+		return fmt.Errorf("failed to create auth middleware config: %w", authErr)
 	}
 	middlewareConfigs = append(middlewareConfigs, *authConfig)
 
 	// Upstream swap middleware (if embedded auth server is configured)
 	// This exchanges ToolHive JWTs for upstream IdP tokens when embedded auth server is used.
 	// IMPORTANT: Must run BEFORE token exchange middleware so it can read the `tsid` claim
 	// from the original ToolHive JWT before any token modification occurs.
-	middlewareConfigs, err = addUpstreamSwapMiddleware(middlewareConfigs, config)
+	middlewareConfigs, err := addUpstreamSwapMiddleware(middlewareConfigs, config)
 	if err != nil {
 		return err
 	}
@@ -421,6 +430,45 @@ func addAWSStsMiddleware(middlewares []types.MiddlewareConfig, config *RunConfig
 	return append(middlewares, *awsStsMwConfig), nil
 }
 
+// prependOriginMiddleware prepends Origin-header validation middleware for
+// DNS-rebind protection per MCP 2025-11-25 §"Security Warning". It is placed at
+// the front of the chain so disallowed Origin values are rejected before
+// authentication or any business logic runs. Default-derivation logic lives in
+// origin.ResolveAllowedOrigins so the standalone `thv proxy` command and the
+// runner path agree on behavior.
+//
+// This is called from runner.Run after both middleware-population paths
+// (PopulateMiddlewareConfigs and WithMiddlewareFromFlags) have run, because
+// that is the only point where the effective Host/Port/AllowedOrigins are
+// fully resolved — the CLI builder defers port resolution to validateConfig.
+//
+// When the effective allowlist is empty — which happens when the operator
+// binds to a non-loopback host without supplying --allowed-origins — the
+// middleware is skipped entirely and a WARN is logged so the security-disabled
+// state is visible in operator logs. A follow-up PR hardens the non-loopback
+// path by requiring an explicit opt-in flag (see audit row 22).
+func prependOriginMiddleware(middlewares []types.MiddlewareConfig, config *RunConfig) ([]types.MiddlewareConfig, error) {
+	allowed := origin.ResolveAllowedOrigins(config.Host, config.Port, config.AllowedOrigins)
+	if len(allowed) == 0 {
+		slog.Warn("Origin validation disabled — no allowlist configured for non-loopback bind",
+			"host", config.Host,
+			"port", config.Port,
+			"hint", "pass --allowed-origins=https://your-client.example to enable DNS-rebind protection",
+		)
+		return middlewares, nil
+	}
+
+	params := origin.MiddlewareParams{AllowedOrigins: allowed}
+	mwCfg, err := types.NewMiddlewareConfig(origin.MiddlewareType, params)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create origin middleware config: %w", err)
+	}
+	// Prepend so Origin validation is the outermost wrapper (runs first at
+	// request time). Build a new slice to avoid mutating the caller's backing
+	// array.
+	return append([]types.MiddlewareConfig{*mwCfg}, middlewares...), nil
+}
+
 // addRateLimitMiddleware adds rate limit middleware if configured.
 func addRateLimitMiddleware(middlewares []types.MiddlewareConfig, config *RunConfig) ([]types.MiddlewareConfig, error) {
 	if config.RateLimitConfig == nil {