fix: reject non-JSON Content-Type with 415 and validate protocol version on initialize

HttpServletStreamableServerTransportProvider and
HttpServletStatelessServerTransport accepted POST requests regardless
of Content-Type, processing text/plain and form-encoded bodies as if
they were application/json.

Add an early Content-Type guard in doPost() on both transports that
returns HTTP 415 Unsupported Media Type when Content-Type is absent
or does not start with application/json.

Also validate on initialize requests that the MCP-Protocol-Version
HTTP header, when present, is consistent with the protocolVersion
field in the JSON-RPC body. A mismatch returns HTTP 400 with a
JSON-RPC INVALID_REQUEST error.

Fixes #961
Fixes #963

Signed-off-by: Gorre Surya <suryateja.g13@gmail.com>

Author: suryateja-g13

mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStatelessServerTransport.java

@@ -142,6 +142,12 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			return;
 		}
 
+		String contentType = request.getContentType();
+		if (contentType == null || !contentType.startsWith(APPLICATION_JSON)) {
+			response.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, "Content-Type must be application/json");
+			return;
+		}
+
 		McpTransportContext transportContext = this.contextExtractor.extract(request);
 
 		String accept = request.getHeader(ACCEPT);

mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java

@@ -415,6 +415,12 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 			return;
 		}
 
+		String contentType = request.getContentType();
+		if (contentType == null || !contentType.startsWith(APPLICATION_JSON)) {
+			response.sendError(HttpServletResponse.SC_UNSUPPORTED_MEDIA_TYPE, "Content-Type must be application/json");
+			return;
+		}
+
 		List<String> badRequestErrors = new ArrayList<>();
 
 		String accept = request.getHeader(ACCEPT);
@@ -450,6 +456,17 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 				McpSchema.InitializeRequest initializeRequest = jsonMapper.convertValue(jsonrpcRequest.params(),
 						new TypeRef<McpSchema.InitializeRequest>() {
 						});
+
+				String headerVersion = request.getHeader(HttpHeaders.PROTOCOL_VERSION);
+				if (headerVersion != null && !headerVersion.equals(initializeRequest.protocolVersion())) {
+					this.responseError(response, HttpServletResponse.SC_BAD_REQUEST, McpError
+						.builder(McpSchema.ErrorCodes.INVALID_REQUEST)
+						.message("MCP-Protocol-Version header '" + headerVersion
+								+ "' does not match body protocolVersion '" + initializeRequest.protocolVersion() + "'")
+						.build());
+					return;
+				}
+
 				McpStreamableServerSession.McpStreamableServerSessionInit init = this.sessionFactory
 					.startSession(initializeRequest);
 				this.sessions.put(init.session().getId(), init.session());