Skip to content

fix(http): enable DNS-rebinding protection by default#153

Open
SVilgelm wants to merge 1 commit into
rust-mcp-stack:mainfrom
SVilgelm:fix/dns-rebinding-default
Open

fix(http): enable DNS-rebinding protection by default#153
SVilgelm wants to merge 1 commit into
rust-mcp-stack:mainfrom
SVilgelm:fix/dns-rebinding-default

Conversation

@SVilgelm
Copy link
Copy Markdown
Contributor

@SVilgelm SVilgelm commented May 25, 2026

📌 Summary

DNS-rebinding protection defaulted to false, leaving local servers exposed to browser-based DNS-rebinding attacks unless explicitly enabled. The MCP spec strongly recommends Origin/Host validation, so it is now on by default with an explicit opt-out, and the server logs a startup warning when protection is enabled but no allowed_hosts/allowed_origins are configured.

🔍 Related Issues

✨ Changes Made

  • Default HyperServerOptions::dns_rebinding_protection to true.
  • Warn at startup when protection is on but neither allowed list is configured.
  • Update the field documentation.

@SVilgelm
fix(http): enable DNS-rebinding protection by default
f5e5936 
Default dns_rebinding_protection to true and warn at startup when neither allowed_hosts nor allowed_origins is configured. Set it to false to opt out.

Assisted-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Sergey Vilgelm <sergey@vilgelm.com>
@SVilgelm SVilgelm mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SVilgelm