Add Origin header validation middleware

ToolHive's proxy layer had no Origin-header validation, and the legacy
HTTP+SSE transport sent `Access-Control-Allow-Origin: *`, leaving both
modes open to DNS-rebinding attacks from browser clients. MCP 2025-11-25
§"Security Warning" requires servers to validate Origin on all
connections and respond 403 when the value is invalid.

This change introduces a dedicated middleware at
pkg/transport/middleware/origin/ that rejects requests whose Origin
header is present and not in an operator-configured allowlist, and
wires it into both the factory-based chain (thv run / thv-proxyrunner
/ vMCP) and the inline chain (thv proxy).

Behavior:
- New --allowed-origins flag on `thv run` and `thv proxy` accepts a
  repeatable exact-match list. When empty and the bind host is
  loopback, a default loopback-only allowlist is derived automatically
  (http://localhost:PORT + 127.0.0.1 + [::1]). When empty and the
  bind is non-loopback, the middleware is skipped and a warning is
  logged — the bind-opt-in hardening lands in a follow-up.
- Matching is byte-exact except that scheme and host are lowercased
  per RFC 6454 §4. Requests with multiple Origin headers are rejected
  outright.
- 403 responses carry a JSON-RPC error body (id: null, code -32600,
  message "Origin not allowed").
- `Access-Control-Allow-Origin: *` removed from the httpsse SSE
  handler; the wildcard would have neutered any Origin enforcement
  via preflight response inheritance.

Closes audit row 5 (Origin validation absent).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

Author: JAORMX

cmd/thv/app/proxy.go

@@ -24,6 +24,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/networking"
 	"github.com/stacklok/toolhive/pkg/transport"
 	"github.com/stacklok/toolhive/pkg/transport/middleware"
+	"github.com/stacklok/toolhive/pkg/transport/middleware/origin"
 	"github.com/stacklok/toolhive/pkg/transport/proxy/transparent"
 	"github.com/stacklok/toolhive/pkg/transport/types"
 )
@@ -110,9 +111,10 @@ Dynamic client registration (automatic OAuth client setup):
 }
 
 var (
-	proxyHost      string
-	proxyPort      int
-	proxyTargetURI string
+	proxyHost           string
+	proxyPort           int
+	proxyTargetURI      string
+	proxyAllowedOrigins []string
 
 	resourceURL string // Explicit resource URL for OAuth discovery endpoint (RFC 9728)
 
@@ -133,6 +135,10 @@ const (
 func init() {
 	proxyCmd.Flags().StringVar(&proxyHost, "host", transport.LocalhostIPv4, "Host for the HTTP proxy to listen on (IP or hostname)")
 	proxyCmd.Flags().IntVar(&proxyPort, "port", 0, "Port for the HTTP proxy to listen on (host port)")
+	proxyCmd.Flags().StringArrayVar(&proxyAllowedOrigins, "allowed-origins", nil,
+		"Exact-match allowlist for the HTTP Origin header (repeatable). Recommended when binding publicly; "+
+			"loopback binds derive a default allowlist automatically, non-loopback binds log a warning when "+
+			"no value is supplied. Example: https://my-mcp.example.com")
 	proxyCmd.Flags().StringVar(
 		&proxyTargetURI,
 		"target-uri",
@@ -226,6 +232,22 @@ func proxyCmdFunc(cmd *cobra.Command, args []string) error {
 	// Create middlewares slice for incoming request authentication
 	var middlewares []types.NamedMiddleware
 
+	// Origin-header validation (DNS-rebinding protection per MCP 2025-11-25
+	// §"Security Warning"). Added first so disallowed Origins are rejected
+	// before authentication or any outbound token acquisition runs.
+	if allowed := origin.ResolveAllowedOrigins(proxyHost, port, proxyAllowedOrigins); len(allowed) > 0 {
+		middlewares = append(middlewares, types.NamedMiddleware{
+			Name:     origin.MiddlewareType,
+			Function: origin.CreateOriginMiddleware(allowed),
+		})
+	} else {
+		slog.Warn("Origin validation disabled — no allowlist configured for non-loopback bind",
+			"host", proxyHost,
+			"port", port,
+			"hint", "pass --allowed-origins=https://your-client.example to enable DNS-rebind protection",
+		)
+	}
+
 	// Get OIDC configuration if enabled (for protecting the proxy endpoint)
 	oidcConfig := getProxyOIDCConfig(cmd)
 

cmd/thv/app/run_flags.go

@@ -137,6 +137,12 @@ type RunFlags struct {
 	RemoteForwardHeaders       []string
 	RemoteForwardHeadersSecret []string
 
+	// AllowedOrigins is the HTTP Origin-header allowlist for DNS-rebinding protection
+	// (MCP 2025-11-25 §"Security Warning"). Empty with a loopback host auto-derives
+	// loopback-only defaults; empty with a non-loopback host disables the check
+	// (operator must supply explicit origins for public bind).
+	AllowedOrigins []string
+
 	// Runtime configuration
 	RuntimeImage       string
 	RuntimeAddPackages []string
@@ -156,6 +162,10 @@ func AddRunFlags(cmd *cobra.Command, config *RunFlags) {
 	cmd.Flags().StringVar(&config.Name, "name", "", "Name of the MCP server (default to auto-generated from image)")
 	cmd.Flags().StringVar(&config.Group, "group", "default", "Name of the group this workload should belong to")
 	cmd.Flags().StringVar(&config.Host, "host", transport.LocalhostIPv4, "Host for the HTTP proxy to listen on (IP or hostname)")
+	cmd.Flags().StringArrayVar(&config.AllowedOrigins, "allowed-origins", nil,
+		"Exact-match allowlist for the HTTP Origin header (repeatable). Recommended when binding publicly; "+
+			"loopback binds derive a default allowlist automatically, non-loopback binds log a warning when "+
+			"no value is supplied. Example: https://my-mcp.example.com")
 	cmd.Flags().IntVar(&config.ProxyPort, "proxy-port", 0, "Port for the HTTP proxy to listen on (host port)")
 	cmd.Flags().IntVar(&config.TargetPort, "target-port", 0,
 		"Port for the container to expose (only applicable to SSE or Streamable HTTP transport)")
@@ -678,6 +688,7 @@ func buildRunnerConfig(
 			PrintOverlays: runFlags.PrintOverlays,
 		}),
 		runner.WithPublish(runFlags.Publish),
+		runner.WithAllowedOrigins(runFlags.AllowedOrigins),
 	}
 	opts = append(opts, extraOpts...)
 

docs/cli/thv_proxy.md

@@ -97,6 +97,14 @@ type RunConfig struct {
 	// TargetHost is the host to forward traffic to (only applicable to SSE transport)
 	TargetHost string `json:"target_host,omitempty" yaml:"target_host,omitempty"`
 
+	// AllowedOrigins is the allowlist of values accepted on the HTTP Origin header,
+	// used for DNS-rebinding protection per MCP 2025-11-25 §"Security Warning".
+	// When empty and Host is loopback (127.0.0.1 / localhost / [::1]), a default
+	// loopback-only allowlist is derived at middleware-wiring time.
+	// When empty and Host is non-loopback, the middleware is disabled — operators
+	// exposing the proxy publicly must configure an explicit allowlist.
+	AllowedOrigins []string `json:"allowed_origins,omitempty" yaml:"allowed_origins,omitempty"`
+
 	// Publish lists ports to publish to the host in format "hostPort:containerPort"
 	Publish []string `json:"publish,omitempty" yaml:"publish,omitempty"`
 

docs/cli/thv_run.md

@@ -330,6 +330,18 @@ func WithAllowDockerGateway(allow bool) RunConfigBuilderOption {
 	}
 }
 
+// WithAllowedOrigins sets the HTTP Origin-header allowlist used for
+// DNS-rebinding protection (MCP 2025-11-25 §"Security Warning").
+// An empty slice defers the choice to middleware wiring, which derives a
+// loopback-only default when the bind host is loopback and otherwise leaves
+// the middleware disabled.
+func WithAllowedOrigins(origins []string) RunConfigBuilderOption {
+	return func(b *runConfigBuilder) error {
+		b.config.AllowedOrigins = origins
+		return nil
+	}
+}
+
 // WithTrustProxyHeaders sets whether to trust X-Forwarded-* headers from reverse proxies
 func WithTrustProxyHeaders(trust bool) RunConfigBuilderOption {
 	return func(b *runConfigBuilder) error {

docs/server/docs.go

@@ -5,6 +5,7 @@ package runner
 
 import (
 	"fmt"
+	"log/slog"
 
 	"github.com/stacklok/toolhive/pkg/audit"
 	"github.com/stacklok/toolhive/pkg/auth"
@@ -20,6 +21,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/recovery"
 	"github.com/stacklok/toolhive/pkg/telemetry"
 	headerfwd "github.com/stacklok/toolhive/pkg/transport/middleware"
+	"github.com/stacklok/toolhive/pkg/transport/middleware/origin"
 	"github.com/stacklok/toolhive/pkg/transport/types"
 	"github.com/stacklok/toolhive/pkg/usagemetrics"
 	"github.com/stacklok/toolhive/pkg/webhook/mutating"
@@ -43,6 +45,7 @@ func GetSupportedMiddlewareFactories() map[string]types.MiddlewareFactory {
 		audit.MiddlewareType:                  audit.CreateMiddleware,
 		recovery.MiddlewareType:               recovery.CreateMiddleware,
 		headerfwd.HeaderForwardMiddlewareName: headerfwd.CreateMiddleware,
+		origin.MiddlewareType:                 origin.CreateMiddleware,
 		validating.MiddlewareType:             validating.CreateMiddleware,
 		mutating.MiddlewareType:               mutating.CreateMiddleware,
 	}
@@ -56,13 +59,21 @@ func PopulateMiddlewareConfigs(config *RunConfig) error {
 	var middlewareConfigs []types.MiddlewareConfig
 	// TODO: Consider extracting other middleware setup into helper functions like addUsageMetricsMiddleware
 
+	// Origin-validation middleware (DNS-rebinding protection per MCP 2025-11-25).
+	// Positioned first in the slice so it runs earliest in the chain — disallowed
+	// Origin values are rejected before any authentication or business logic.
+	middlewareConfigs, err := addOriginMiddleware(middlewareConfigs, config)
+	if err != nil {
+		return err
+	}
+
 	// Authentication middleware (always present)
 	authParams := auth.MiddlewareParams{
 		OIDCConfig: config.OIDCConfig,
 	}
-	authConfig, err := types.NewMiddlewareConfig(auth.MiddlewareType, authParams)
-	if err != nil {
-		return fmt.Errorf("failed to create auth middleware config: %w", err)
+	authConfig, authErr := types.NewMiddlewareConfig(auth.MiddlewareType, authParams)
+	if authErr != nil {
+		return fmt.Errorf("failed to create auth middleware config: %w", authErr)
 	}
 	middlewareConfigs = append(middlewareConfigs, *authConfig)
 
@@ -419,6 +430,35 @@ func addAWSStsMiddleware(middlewares []types.MiddlewareConfig, config *RunConfig
 	return append(middlewares, *awsStsMwConfig), nil
 }
 
+// addOriginMiddleware adds Origin-header validation middleware for DNS-rebind
+// protection per MCP 2025-11-25 §"Security Warning". Default-derivation logic
+// lives in origin.ResolveAllowedOrigins so the standalone `thv proxy` command
+// and the runner path agree on behavior.
+//
+// When the effective allowlist is empty — which happens when the operator
+// binds to a non-loopback host without supplying --allowed-origins — the
+// middleware is skipped entirely and a WARN is logged so the security-disabled
+// state is visible in operator logs. A follow-up PR hardens the non-loopback
+// path by requiring an explicit opt-in flag (see audit row 22).
+func addOriginMiddleware(middlewares []types.MiddlewareConfig, config *RunConfig) ([]types.MiddlewareConfig, error) {
+	allowed := origin.ResolveAllowedOrigins(config.Host, config.Port, config.AllowedOrigins)
+	if len(allowed) == 0 {
+		slog.Warn("Origin validation disabled — no allowlist configured for non-loopback bind",
+			"host", config.Host,
+			"port", config.Port,
+			"hint", "pass --allowed-origins=https://your-client.example to enable DNS-rebind protection",
+		)
+		return middlewares, nil
+	}
+
+	params := origin.MiddlewareParams{AllowedOrigins: allowed}
+	mwCfg, err := types.NewMiddlewareConfig(origin.MiddlewareType, params)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create origin middleware config: %w", err)
+	}
+	return append(middlewares, *mwCfg), nil
+}
+
 // addRateLimitMiddleware adds rate limit middleware if configured.
 func addRateLimitMiddleware(middlewares []types.MiddlewareConfig, config *RunConfig) ([]types.MiddlewareConfig, error) {
 	if config.RateLimitConfig == nil {