missing origin header in requests

[symdeb]

Describe the bug
no origin header in request

To Reproduce
Send connect request using inspector

Expected behavior
an origin header in the request

Logs

Request Received at 2025-06-30T04:53:43+00:00

method:POST
headers:
host:localhost
connection:keep-alive
accept:application/json, text/event-stream
authorization:Bearer 123456
content-type:application/json
accept-language:*
sec-fetch-mode:cors
user-agent:node
accept-encoding:gzip, deflate
content-length:205
URL: /api/mcp/mcp
Query:
Query Parameters:
contents:

Additional context
MCP spec: Servers MUST validate the Origin header on all incoming connections to prevent DNS rebinding attacks
Linux Apache PHP server

[jexp]

I have something similar when trying to run MCP inspector on codespaces.

There you need to foward both ports (proxy and webapp).

MCP_PROXY_FULL_ADDRESS=https://legendary-tribble-jj5xgvp6vf97p-8000.app.gith
ub.dev/ DANGEROUSLY_OMIT_AUTH=true CLIENT_PORT=8080 SERVER_PORT=8000 npx @modelcontextprotocol/inspector uv run --directory /workspaces/adk-mcp-test/letter-counter-mcp server.py

• 8000 is the proxy address
• 8080 is the webapp
• both are forwarded by codespaces

But it still fails with an CORS preflight issue (see screenshot)

[kbumsik]

Guys I found the solution. Use ALLOWED_ORIGINS env: https://github.com/modelcontextprotocol/inspector?tab=readme-ov-file#dns-rebinding-protection